[SSSD] Re: [PATCHES] Data provider refactoring

2016-06-16 Thread Jakub Hrozek
On Thu, Jun 16, 2016 at 04:40:15PM +0200, Pavel Březina wrote: > On 06/16/2016 03:32 PM, Lukas Slebodnik wrote: > > On (16/06/16 10:32), Pavel Březina wrote: > > > On 06/15/2016 09:57 PM, Lukas Slebodnik wrote: > > > > On (15/06/16 21:54), Lukas Slebodnik wrote: > > > > > On (15/06/16 21:08), Lukas

[SSSD] Re: [PATCH] DEBUG: Add `debug` alias for debug_level

2016-06-16 Thread Jakub Hrozek
On Wed, Jun 08, 2016 at 09:23:39AM +0200, Pavel Březina wrote: > Ack from me as well. master: 131684b9107a3fc07906013d16b35975531f2864 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@li

[SSSD] Re: [PATCH] ssh: skip invalid certificates

2016-06-16 Thread Jakub Hrozek
On Thu, Jun 16, 2016 at 01:33:47PM +0200, Jakub Hrozek wrote: > On Tue, Jun 07, 2016 at 03:58:31PM +0200, Sumit Bose wrote: > > > You need to free tmp_ctx in this function. > > > > ah. sorry, I added it to the caller and forgot to add it to the new > > function. New

[SSSD] Re: [PATCH] Add underlying diagnostic message for SSL errors.

2016-06-16 Thread Jakub Hrozek
On Tue, Jun 14, 2016 at 03:25:19PM +0200, Pavel Březina wrote: > On 06/09/2016 04:04 PM, Jakub Hrozek wrote: > > Hi, > > > > the reporter of https://fedorahosted.org/sssd/ticket/3005 kindly > > submitted a patch. I'm resending it here for review (looks good to

[SSSD] Re: [PATCH] ssh: skip invalid certificates

2016-06-16 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 03:58:31PM +0200, Sumit Bose wrote: > > You need to free tmp_ctx in this function. > > ah. sorry, I added it to the caller and forgot to add it to the new > function. New version attached. > > bye, > Sumit Thank you, ACK CI: http://sssd-ci.duckdns.org/logs/job/45/27/summ

[SSSD] Re: [PATCHES] Data provider refactoring

2016-06-16 Thread Jakub Hrozek
On Wed, Jun 15, 2016 at 09:57:45PM +0200, Lukas Slebodnik wrote: > On (15/06/16 21:54), Lukas Slebodnik wrote: > >On (15/06/16 21:08), Lukas Slebodnik wrote: > >>On (15/06/16 19:08), Lukas Slebodnik wrote: > >>>On (15/06/16 14:08), Pavel Březina wrote: > On 06/15/2016 08:44 AM, Lukas Slebodnik

[SSSD] Re: [PATCH] sdap: improve filtering of multiple results in GC lookups

2016-06-13 Thread Jakub Hrozek
On Mon, Jun 13, 2016 at 03:16:25PM +0200, Lukas Slebodnik wrote: > On (29/02/16 11:17), Jakub Hrozek wrote: > >On Thu, Feb 25, 2016 at 01:37:27PM +0100, Sumit Bose wrote: > >> On Thu, Feb 25, 2016 at 12:50:55PM +0100, Jakub Hrozek wrote: > >> > On Tue, Feb 23, 2016 a

[SSSD] Re: [PATCH] pam-srv-tests: Increase cached_auth_timeout

2016-06-10 Thread Jakub Hrozek
On Fri, Jun 10, 2016 at 04:42:51PM +0200, Lukas Slebodnik wrote: > On (10/06/16 12:07), Sumit Bose wrote: > >On Fri, Jun 10, 2016 at 11:09:49AM +0200, Lukas Slebodnik wrote: > >> On (10/06/16 09:54), Sumit Bose wrote: > >> >On Fri, Jun 10, 2016 at 09:26:38AM +0200, Lukas Slebodnik wrote: > >> >> eh

[SSSD] Re: [PATCH] systemtap-based performance probes

2016-06-09 Thread Jakub Hrozek
On Thu, Jun 09, 2016 at 11:33:40AM +0200, Lukas Slebodnik wrote: > On (08/06/16 19:11), Lukas Slebodnik wrote: > >On (07/06/16 23:27), Jakub Hrozek wrote: > >>On Mon, Jun 06, 2016 at 05:50:03PM +0200, Lukas Slebodnik wrote: > >>> >diff --git a/src/external/systemt

[SSSD] [PATCH] Add underlying diagnostic message for SSL errors.

2016-06-09 Thread Jakub Hrozek
Hi, the reporter of https://fedorahosted.org/sssd/ticket/3005 kindly submitted a patch. I'm resending it here for review (looks good to me btw) >From 765c3fdd384a427445eca6c7e367d39c1e2f9558 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Thu, 9 Jun 2016 15:27:34 +0200 Subject: [PATCH] Add un

[SSSD] Re: [PATCH] RESPONDER: Fix error check in cache_req.c

2016-06-09 Thread Jakub Hrozek
On Thu, Jun 09, 2016 at 12:28:51PM +0200, Lukas Slebodnik wrote: > On (09/06/16 12:25), Jakub Hrozek wrote: > >On Thu, Jun 09, 2016 at 12:20:25PM +0200, Lukas Slebodnik wrote: > >> On (09/06/16 12:06), Jakub Hrozek wrote: > >> >On Thu, Jun 09, 2016 at 10:37:19A

[SSSD] Re: [PATCH] RESPONDER: Fix error check in cache_req.c

2016-06-09 Thread Jakub Hrozek
On Thu, Jun 09, 2016 at 12:20:25PM +0200, Lukas Slebodnik wrote: > On (09/06/16 12:06), Jakub Hrozek wrote: > >On Thu, Jun 09, 2016 at 10:37:19AM +0200, Lukas Slebodnik wrote: > >> sssd-1-13: > >> * d9ccb66522adcf9fbbe3772a7b712e6bdcb2ad46 > > > >Unfortunatel

[SSSD] Re: [PATCH] RESPONDER: Fix error check in cache_req.c

2016-06-09 Thread Jakub Hrozek
On Thu, Jun 09, 2016 at 10:37:19AM +0200, Lukas Slebodnik wrote: > sssd-1-13: > * d9ccb66522adcf9fbbe3772a7b712e6bdcb2ad46 Unfortunately the debug macro doesn't seem to be in sssd-1-13, can we revert the patch from that branch? ___ sssd-devel mailing lis

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-08 Thread Jakub Hrozek
On Wed, Jun 08, 2016 at 03:39:11PM +0200, Sumit Bose wrote: > On Tue, Jun 07, 2016 at 04:40:42PM +0200, Jakub Hrozek wrote: > > On Tue, Jun 07, 2016 at 02:55:40PM +0200, Sumit Bose wrote: > > > On Tue, Jun 07, 2016 at 01:56:10PM +0200, Jakub Hrozek wrote: > > > > On T

[SSSD] [PATCH] RESPONDER: Fix error check in cache_req.c

2016-06-08 Thread Jakub Hrozek
Hi, I found this little bug when reviewing Pavel's sudo patch. >From f0724df7da5029d73c3cd0806beb1a17e9063ec3 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 8 Jun 2016 15:12:14 +0200 Subject: [PATCH] RESPONDER: Fix error check in cache_req.c --- src/responde

[SSSD] Re: [PATCH] AD: use krb5_keytab for subdomain initialization

2016-06-08 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 04:29:36PM +0200, Sumit Bose wrote: > On Fri, Apr 22, 2016 at 03:20:56PM +0200, Jakub Hrozek wrote: > > On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > this is a bit of a follow-up patch to "subdom

[SSSD] Re: [PATCH] Add winbind idmap plugin

2016-06-08 Thread Jakub Hrozek
On Tue, May 10, 2016 at 11:10:05AM +0200, Sumit Bose wrote: > Hi, > > this patch adds a new plugin similar to the one for the cifs-utils which > allows winbind to use the same id-mapping as SSSD. > > Currently I only added it to the dlopen test because I think it would be > best to test it direct

[SSSD] Re: [PATCH] systemtap-based performance probes

2016-06-07 Thread Jakub Hrozek
; It can be simplified to 'tapset_dir="${withval}"' after > updating help string. Fixed > > >+[tapset_dir="\$(datadir)/systemtap/tapset"]) > >

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-07 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 02:55:40PM +0200, Sumit Bose wrote: > On Tue, Jun 07, 2016 at 01:56:10PM +0200, Jakub Hrozek wrote: > > On Tue, Jun 07, 2016 at 12:28:22PM +0200, Sumit Bose wrote: > > > sure, here you are. > > > > > > bye, > > > Sumi

[SSSD] Re: [PATCH] DEBUG: Add `debug` alias for debug_level

2016-06-07 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 09:34:46AM -0400, Stephen Gallagher wrote: > On 04/28/2016 09:30 AM, Lukas Slebodnik wrote: > > On (27/04/16 15:18), Stephen Gallagher wrote: > >> On 04/27/2016 05:57 AM, Pavel Březina wrote: > >>> On 04/26/2016 05:08 PM, Stephen Gallagher wrote: > Our users constantly

[SSSD] Re: [PATCHES] p11: add no_verification option

2016-06-07 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: > On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > > > oops, yes I guess this would be a good idea. I'll send a new patch. > &g

[SSSD] Re: [PATCH] ssh: skip invalid certificates

2016-06-07 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 08:17:01PM +0200, Sumit Bose wrote: > Hi, > > currently the code which generates ssh key from the public keys in the > user certificates fails if one certificate cannot be validated and > terminates the whole request. It is of course valid that the user entry > might contai

[SSSD] Re: [PATCHES] p11: add no_verification option

2016-06-07 Thread Jakub Hrozek
On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > oops, yes I guess this would be a good idea. I'll send a new patch. > > > > new version attached. > > bye, > Sumit One last question, do we want to add the ocsp_default_responder and ocsp_default_responder_signing_cert options to c

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-07 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 12:28:22PM +0200, Sumit Bose wrote: > sure, here you are. > > bye, > Sumit Hmm, are these the correct patches? /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c: In function 'sysdb_search_override_by_cert': /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c:880:11:

[SSSD] Re: [PATCH] PAM: add pam_sss option allow_missing_name

2016-06-07 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 12:18:17PM +0200, Jakub Hrozek wrote: > On Mon, Jun 06, 2016 at 10:56:52AM +0200, Sumit Bose wrote: > > On Fri, Jun 03, 2016 at 05:56:45PM +0200, Jakub Hrozek wrote: > > > On Wed, Jun 01, 2016 at 06:31:29PM +0200, Sumit Bose wrote: > > > > Hi,

[SSSD] Re: [PATCH] PAM: add pam_sss option allow_missing_name

2016-06-07 Thread Jakub Hrozek
On Mon, Jun 06, 2016 at 10:56:52AM +0200, Sumit Bose wrote: > On Fri, Jun 03, 2016 at 05:56:45PM +0200, Jakub Hrozek wrote: > > On Wed, Jun 01, 2016 at 06:31:29PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > that attached two patches would allow to use the

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-07 Thread Jakub Hrozek
On Mon, Jun 06, 2016 at 11:06:06AM +0200, Sumit Bose wrote: > On Fri, Jun 03, 2016 at 02:56:08PM +0200, Jakub Hrozek wrote: > > On Fri, May 20, 2016 at 09:13:29PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > this set of patches should resolve > > &

[SSSD] Re: Design document - sssctl

2016-06-07 Thread Jakub Hrozek
On Tue, Jun 07, 2016 at 11:53:55AM +0200, Pavel Březina wrote: > On 06/07/2016 11:36 AM, Jakub Hrozek wrote: > > On Mon, Jun 06, 2016 at 02:09:57PM +0200, Pavel Březina wrote: > > > On 03/22/2016 12:42 PM, Pavel Reichl wrote: > > > > Hello, > > > > >

[SSSD] Re: [PATCH] libwbclient: wbcSidsToUnixIds() don't fail on errors

2016-06-07 Thread Jakub Hrozek
On Mon, Jun 06, 2016 at 03:22:22PM +0300, Alexander Bokovoy wrote: > ACK. master: 52f1093ef3d7c44132ec10c57436865b2cbb19d7 sssd-1-13: 15ad5f603a5797c61a01f67365c2581c7bddcdfa ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fe

[SSSD] Re: Design document - sssctl

2016-06-07 Thread Jakub Hrozek
On Mon, Jun 06, 2016 at 02:09:57PM +0200, Pavel Březina wrote: > On 03/22/2016 12:42 PM, Pavel Reichl wrote: > > Hello, > > > > Pavel Březina and I have prepared the 1st draft of design document. We > > mostly focused on summing up its future functionality and its interface. > > > > Please commen

[SSSD] Re: Session Recording control options

2016-06-07 Thread Jakub Hrozek
On Mon, Jun 06, 2016 at 06:24:53PM +0300, Nikolai Kondrashov wrote: > On 06/06/2016 06:20 PM, Sumit Bose wrote: > > On Mon, Jun 06, 2016 at 04:24:35PM +0300, Nikolai Kondrashov wrote: > > > Hi everyone, > > > > > > After a little discussion with Dmitri and Sumit we decided that we'll need > > > op

[SSSD] Re: [PATCHES] Support starting SSSD from a default configuration

2016-06-03 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 05:55:24PM +0200, Lukas Slebodnik wrote: > On (03/06/16 09:07), Stephen Gallagher wrote: > >On 05/13/2016 10:29 AM, Lukas Slebodnik wrote: > >> On (11/05/16 17:35), Lukas Slebodnik wrote: > >>> On (10/05/16 17:06), Jakub Hrozek wrote: > &

[SSSD] Re: [PATCH] PAM: add pam_sss option allow_missing_name

2016-06-03 Thread Jakub Hrozek
On Wed, Jun 01, 2016 at 06:31:29PM +0200, Sumit Bose wrote: > Hi, > > that attached two patches would allow to use the Smartcard support in > gdm with SSSD. To use it you should replace pam_pkcs11 in > /etc/pam.d/smartcard-auth in the auth section by > > authsufficient pam_sss.s

[SSSD] Re: [PATCH] sudo man page: say that we support IPA schema

2016-06-03 Thread Jakub Hrozek
On Wed, Jun 01, 2016 at 11:58:45AM +0200, Pavel Březina wrote: > SSIA > From 2101e03fa59fec3f834b48256a287f456662d7c2 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Pavel=20B=C5=99ezina?= > Date: Wed, 1 Jun 2016 11:57:53 +0200 > Subject: [PATCH] sudo man page: say that we support IPA schema > > ---

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-03 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 02:56:08PM +0200, Jakub Hrozek wrote: > On Fri, May 20, 2016 at 09:13:29PM +0200, Sumit Bose wrote: > > Hi, > > > > this set of patches should resolve > > https://fedorahosted.org/sssd/ticket/2897 "Smart Cards: Certificate in > > the

[SSSD] Re: [PATCH] GPO: Add "polkit-1" to ad_gpo_map_allow

2016-06-03 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 09:07:57AM -0400, Stephen Gallagher wrote: > On 05/13/2016 09:07 AM, Stephen Gallagher wrote: > > Polkit is an authorization mechanism of its own (similar to sudo). SSSD > > doesn't > > need to apply additional authorization decisions atop it, so we'll just > > accept > >

[SSSD] Re: [PATCH] AD_PROVIDER: Fix constant char *

2016-06-03 Thread Jakub Hrozek
On Fri, Jun 03, 2016 at 02:38:01PM +0200, Fabiano Fidêncio wrote: > On Fri, Jun 3, 2016 at 2:32 PM, Lukas Slebodnik wrote: > > On (03/06/16 09:38), Sumit Bose wrote: > >>On Fri, Jun 03, 2016 at 08:22:10AM +0200, Petr Cech wrote: > >>> bump > >> > >>obvious ACK, just waiting for the CI to finish. >

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

2016-06-03 Thread Jakub Hrozek
On Fri, May 20, 2016 at 09:13:29PM +0200, Sumit Bose wrote: > Hi, > > this set of patches should resolve > https://fedorahosted.org/sssd/ticket/2897 "Smart Cards: Certificate in > the ID View" and cover all other use cases from > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertifica

[SSSD] Re: [PATCH] systemtap-based performance probes

2016-06-03 Thread Jakub Hrozek
On Mon, May 09, 2016 at 10:04:37AM +0200, Jakub Hrozek wrote: > Hi, > > the attached patches are the first self-contained part of my performance > work. Using them, I analyzed the performance of 'id' as the worst-case, > then realized most of the issues are around pro

[SSSD] Re: [PATCH] LDAP: Try also the AD access control for IPA users

2016-06-03 Thread Jakub Hrozek
On Wed, May 18, 2016 at 10:29:37AM +0200, Pavel Březina wrote: > On 05/17/2016 03:11 PM, Jakub Hrozek wrote: > > On Wed, May 11, 2016 at 11:58:11AM +0200, Jakub Hrozek wrote: > > > Hi, > > > > > > the attached patch implements Sumit's idea to solve > &

[SSSD] Re: [PATCH] sudo: solve problems with fully qualified names

2016-05-31 Thread Jakub Hrozek
On Fri, May 27, 2016 at 11:54:20AM +0200, Pavel Březina wrote: > See commit message for details. > > Two configurations needs to be tested -- a domain with > use_fully_qualified_name = true and configuration with IPA-AD trusts where > default_domain_suffix is set to AD domain. > From 25f8cb5101f8

[SSSD] Re: [PATCH] Improve handling of fds with child processes

2016-05-31 Thread Jakub Hrozek
On Fri, May 27, 2016 at 10:58:23AM +0200, Petr Cech wrote: > On 05/19/2016 10:17 PM, Jakub Hrozek wrote: > > Hi, > > > > the attached two patches fix issues with handling of pipes towards our > > child processes. The first patch is more important as the leak occurs &

[SSSD] Re: Add sysdb_{add,replace,delete}_string() and sysdb_{add,replace,delete}_ulong()

2016-05-31 Thread Jakub Hrozek
On Fri, May 27, 2016 at 07:41:51AM +0200, Petr Cech wrote: > On 05/27/2016 07:19 AM, Petr Cech wrote: > > Hi Fabiano, > > > > thanks for patch set. > > > > The first version passed CI tests. The second version looks good to me, > > I will finally ack your patch set after second run of CI tests. >

[SSSD] Re: [DESIGN] Prompting For Multiple Authentication Types

2016-05-31 Thread Jakub Hrozek
On Mon, May 30, 2016 at 03:49:43PM +0200, Sumit Bose wrote: > Hi, > > please find the SSSD design page for the Authentication Indicator > (http://www.freeipa.org/page/V4/Authentication_Indicators) related changes on > the SSSD side tracked by https://fedorahosted.org/sssd/ticket/2988 at > https://

[SSSD] Re: Design document - sssctl

2016-05-30 Thread Jakub Hrozek
Sure, file an upstream ticket or a downstream bug. But I don't think this is in scope of the next release. > On 30 May 2016, at 18:06, Arpit Tolani wrote: > > Hello > > Some of my customers are asking if we have a command line option to dump > information of all SSSD current settings, Can we

[SSSD] Re: [PATCH] RESPONDERS: Negative caching of local users

2016-05-30 Thread Jakub Hrozek
On Mon, May 30, 2016 at 10:42:13AM +0200, Pavel Březina wrote: > On 05/27/2016 04:32 PM, Petr Cech wrote: > > Hi, > > > > I have new version of this patch set. > > I fixed CI tests on debian [1]. My thanks belongs to Lukas and Nikolai. > > > > > > [1] http://sssd-ci.duckdns.org/logs/job/44/04/su

[SSSD] Re: Add sysdb_{add,replace,delete}_string() and sysdb_{add,replace,delete}_ulong()

2016-05-26 Thread Jakub Hrozek
On Thu, May 26, 2016 at 04:18:32PM +0200, Fabiano Fidêncio wrote: > Please, see the attached patches. Hey Fabiano, Thank you for the patches! I admit I haven't tested the patches yet, just scrolled through the diffs. See some comments inline. But I would also like someone else to chime in becaus

[SSSD] Re: [PATCHES] Data provider refactoring

2016-05-26 Thread Jakub Hrozek
On Thu, May 26, 2016 at 11:31:07AM +0200, Lukas Slebodnik wrote: > On (16/05/16 14:00), Pavel Březina wrote: > >Hi, > >the patches are finally ready to be tested and reviewed. It is too huge to be > >sent to the list so please checkout my fedorapeople or github repo: > > > >https://fedorapeople.org

[SSSD] Re: [PATCH] IPA: use forest name when looking up the Global Catalog

2016-05-24 Thread Jakub Hrozek
On Tue, May 17, 2016 at 12:33:00PM +0200, Sumit Bose wrote: > Hi, > > this patch fixes a typo in the IPA AD related code, to look up the > Global Catalog via DNS the forest name should be used and not the name > of the currently domain. > > bye, > Sumit * master: 149174acae677d1e72a0da431bf0850d

[SSSD] Re: [PATCH] IPA: use forest name when looking up the Global Catalog

2016-05-24 Thread Jakub Hrozek
On Tue, May 17, 2016 at 12:33:00PM +0200, Sumit Bose wrote: > Hi, > > this patch fixes a typo in the IPA AD related code, to look up the > Global Catalog via DNS the forest name should be used and not the name > of the currently domain. > > bye, > Sumit ACK CI is down, but this is a one-liner a

[SSSD] [PATCH] Improve handling of fds with child processes

2016-05-19 Thread Jakub Hrozek
#3017. The second patch is more about defensive programming and fixes #3006. >From 2f88d95d8c72f1333ce1fc12a1ba18249447c11e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 19 May 2016 17:24:51 +0200 Subject: [PATCH 1/2] AD: Do not leak file descriptors during machine password renewal

[SSSD] Re: [PATCH] Terminate forked process if adcli is not installed

2016-05-19 Thread Jakub Hrozek
On Thu, May 19, 2016 at 08:16:36AM +0200, Lukas Slebodnik wrote: > Could we use EXIT_FAILURE? > > Otherwise nice work. Sure, new patches are attached. >From 6941f025e6a93c3f4bc13ee5fa24f4724ab3039f Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 17 May 2016 11:52:00 +0200 Sub

[SSSD] Re: [PATCH] LDAP: Try also the AD access control for IPA users

2016-05-17 Thread Jakub Hrozek
On Wed, May 11, 2016 at 11:58:11AM +0200, Jakub Hrozek wrote: > Hi, > > the attached patch implements Sumit's idea to solve > https://fedorahosted.org/sssd/ticket/2927 > > The user who reported the bug confirmed that the patch works. As an > additional improvement,

[SSSD] [PATCH] Terminate forked process if adcli is not installed

2016-05-17 Thread Jakub Hrozek
et to STDOUT_FILENO and extra_argv is always NULL. */ -errno_t exec_child(TALLOC_CTX *mem_ctx, - int *pipefd_to_child, int *pipefd_from_child, - const char *binary, int debug_fd); +void exec_child(TALLOC_CTX *mem_ctx, +int *pipefd_to_child, int *pipefd_from

[SSSD] Re: [PATCH] IPA: Handle requests for netgroups from trusted domains gracefully

2016-05-11 Thread Jakub Hrozek
On Wed, May 11, 2016 at 01:57:53PM +0200, Pavel Březina wrote: > On 05/06/2016 03:04 PM, Jakub Hrozek wrote: > > To reproduce, just run: > > getent netgroup some_name@trusted.domain > > > > Please see the commit message for explanation. The other solution would

[SSSD] Re: [PATCH SET] Make the negcache timeout part of nc_ctx

2016-05-11 Thread Jakub Hrozek
On Wed, May 11, 2016 at 10:34:47AM +0200, Pavel Březina wrote: > On 05/10/2016 01:31 PM, Pavel Březina wrote: > > On 05/02/2016 03:02 PM, Petr Cech wrote: > > > On 04/28/2016 01:39 PM, Pavel Březina wrote: > > > > Hi, just few nitpicks: > > > > > > > > Patch 1 NEGCACHE: Adding timeout to struct ss

[SSSD] Re: [PATCH] Failover to next server if authentication fails

2016-05-11 Thread Jakub Hrozek
On Wed, May 11, 2016 at 11:42:40AM +0200, Jakub Hrozek wrote: > On Wed, May 11, 2016 at 10:24:10AM +0200, Pavel Březina wrote: > > On 05/10/2016 04:00 PM, Jakub Hrozek wrote: > > > On Thu, Apr 21, 2016 at 02:54:21PM +0200, Pavel Březina wrote: > > > > We can

[SSSD] Re: [PATCHES] Support starting SSSD from a default configuration

2016-05-11 Thread Jakub Hrozek
On Tue, May 10, 2016 at 05:06:41PM +0200, Jakub Hrozek wrote: > OK, for posterity, attached are the patches (RB: me) that I would like > to commit. > > CI passed as well: > http://sssd-ci.duckdns.org/logs/job/43/08/summary.html > (The failure on debian is in dyndns-tests,

[SSSD] Re: [PATCH] IPA: Handle requests for netgroups from trusted domains gracefully

2016-05-11 Thread Jakub Hrozek
On Fri, May 06, 2016 at 03:04:42PM +0200, Jakub Hrozek wrote: > To reproduce, just run: > getent netgroup some_name@trusted.domain > > Please see the commit message for explanation. The other solution would > be the other way around, ie always go to the code that handles lookup

[SSSD] [PATCH] LDAP: Try also the AD access control for IPA users

2016-05-11 Thread Jakub Hrozek
. But honestly I don't know if and how this could be solved (we would need to fetch this attribute always on initgroups on both client and server..) so I would prefer additional ticket and merge this patch first. >From 01598f563378f8cf85e7a7fb0c29e7bf32518c3f Mon Sep 17 00:00:00 2001 From:

[SSSD] Re: [PATCH] Failover to next server if authentication fails

2016-05-11 Thread Jakub Hrozek
On Wed, May 11, 2016 at 10:24:10AM +0200, Pavel Březina wrote: > On 05/10/2016 04:00 PM, Jakub Hrozek wrote: > > On Thu, Apr 21, 2016 at 02:54:21PM +0200, Pavel Březina wrote: > > > We can fail in sasl_bind_send() with ERR_AUTH_FAILED for basically > > > unspecified re

[SSSD] Re: [PATCH] Do not crash if GetUserAttrs cannot be parsed

2016-05-11 Thread Jakub Hrozek
On Wed, May 11, 2016 at 10:28:16AM +0200, Jakub Hrozek wrote: > On Tue, May 10, 2016 at 12:53:08PM +0200, Pavel Březina wrote: > > On 05/10/2016 12:34 PM, Jakub Hrozek wrote: > > > On Tue, May 10, 2016 at 12:06:39PM +0200, Pavel Březina wrote: > > > > On 05/05/201

[SSSD] Re: [PATCH] Do not crash if GetUserAttrs cannot be parsed

2016-05-11 Thread Jakub Hrozek
On Tue, May 10, 2016 at 12:53:08PM +0200, Pavel Březina wrote: > On 05/10/2016 12:34 PM, Jakub Hrozek wrote: > > On Tue, May 10, 2016 at 12:06:39PM +0200, Pavel Březina wrote: > > > On 05/05/2016 11:38 AM, Jakub Hrozek wrote: > > > > On Wed, Apr 27, 2016 at 11:47:5

[SSSD] Re: [PATCHES] Support starting SSSD from a default configuration

2016-05-10 Thread Jakub Hrozek
On Tue, May 10, 2016 at 09:51:18AM -0400, Stephen Gallagher wrote: > On 05/10/2016 09:45 AM, Jakub Hrozek wrote: > > On Tue, Apr 19, 2016 at 02:09:14PM -0400, Stephen Gallagher wrote: > >> These patches provide support for shipping a default configuration file > >>

[SSSD] Re: [PATCHES] p11: add no_verification option

2016-05-10 Thread Jakub Hrozek
On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > Hi, > > the following 3 patches are related to the Smartcard authentication > feature but imo can be tested even without having one. > > The first patch just adds some missing pieces. The second adds a new > 'no_verification' switch to

[SSSD] [PATCH] FO: Set port to NOT_WORKING when trying a next server

2016-05-10 Thread Jakub Hrozek
be_fo_try_next_server() set the port status to NEUTRAL. That caused the connection code to run again, hit the same timeout issue and then cycle again and again.. Can anyone parse from the code why do we set the port to neutral instead of not_working in be_fo_try_next_server() ? >From 37806e08b

[SSSD] Re: [PATCH] Failover to next server if authentication fails

2016-05-10 Thread Jakub Hrozek
On Thu, Apr 21, 2016 at 02:54:21PM +0200, Pavel Březina wrote: > We can fail in sasl_bind_send() with ERR_AUTH_FAILED for basically > unspecified reason but we do not failover to next server. This patch should > fix it. > > As said on the meeting, I didn't reproduce it and I'm not sure if it will

[SSSD] Re: [PATCHES] Support starting SSSD from a default configuration

2016-05-10 Thread Jakub Hrozek
On Tue, Apr 19, 2016 at 02:09:14PM -0400, Stephen Gallagher wrote: > These patches provide support for shipping a default configuration file that > the > monitor will automatically copy to /etc/sssd/sssd.conf if none already exists. > The idea is for distributions to be able to provide a default (

[SSSD] Re: Idea for multilib handling in Fedora and RHEL

2016-05-10 Thread Jakub Hrozek
On Tue, May 10, 2016 at 01:24:51PM +0200, Lukas Slebodnik wrote: > On (10/05/16 06:40), Stephen Gallagher wrote: > >I was thinking this morning again about how we could deal with the 32-bit on > >64-bit problem. On Fedora 24 and newer, we have the ability to use rich RPM > >dependencies (Recommen

[SSSD] Re: [PATCH] Do not crash if GetUserAttrs cannot be parsed

2016-05-10 Thread Jakub Hrozek
On Tue, May 10, 2016 at 12:06:39PM +0200, Pavel Březina wrote: > On 05/05/2016 11:38 AM, Jakub Hrozek wrote: > > On Wed, Apr 27, 2016 at 11:47:50AM +0200, Pavel Březina wrote: > > > >Can you also extend sbus_request_invoke_or_finish() to treat > > > >ERR_SBUS_RE

[SSSD] Re: sssd behaviour with large nested netgroups.

2016-05-09 Thread Jakub Hrozek
On Mon, May 09, 2016 at 11:04:59PM -0500, Malahal Naineni wrote: > Hi All, > > We have ganesha NFS server that calls innetgr() call to validate > client request. Noticing that all ganesha threads were making innetgr() > calls and spending a lot of time there, I wrote a small script that just

[SSSD] Re: [PATCH] Unit tests for pam_sss using pam_wrapper (need help with CI..)

2016-05-09 Thread Jakub Hrozek
On Wed, May 04, 2016 at 11:36:57PM +0200, Lukas Slebodnik wrote: > On (27/04/16 10:51), Jakub Hrozek wrote: > >Hi, > > > >the attached patches implement unit tests for the pam_sss module using > >pam_wrapper and libpamtest. In my testing, the coverage is around 75% &g

[SSSD] [PATCH] systemtap-based performance probes

2016-05-09 Thread Jakub Hrozek
ks to Lukas for helping me a lot with the build failures on #sssd last week) >From 60d21413ee5b72ed3d732f7a2fbf72a8061040fd Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 1 Dec 2015 23:23:33 +0100 Subject: [PATCH 01/10] UTIL: Add a PROBE macro into probes.h The macros are inspired by v

[SSSD] [PATCH] Make sdap_process_group_send() static

2016-05-09 Thread Jakub Hrozek
Hi, a trivial code-hygiene patch is attached. >From ac33446aaa78b65c6891f486e9ad462101f88a79 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 8 Dec 2015 21:10:27 +0100 Subject: [PATCH] Make sdap_process_group_send() static --- src/providers/ldap/sdap_async_groups.c |

[SSSD] Re: [DESIGN][PATCH] IPA HBAC Time Rules

2016-05-09 Thread Jakub Hrozek
On Mon, May 09, 2016 at 09:21:53AM +0200, Stanislav Laznicka wrote: > From what I've gathered, you would also like to have > it ported to FreeBSD and Solaris (correct me if I'm wrong). I already did > some research on how to get the Olson name there but it all seems a bit > messy so if you know of

[SSSD] Re: [DESIGN] Lookup Users by Certificate - Active Directory

2016-05-06 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 03:38:46PM +0200, Sumit Bose wrote: > Hi, > > please find a new design document at > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificatePart2. > It describes the extended support for user lookup by certificates namely > for certificates stored in AD and o

[SSSD] [PATCH] IPA: Handle requests for netgroups from trusted domains gracefully

2016-05-06 Thread Jakub Hrozek
group. >From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 6 May 2016 15:02:19 +0200 Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains gracefully In ipa_account_info_handler we first check if the request is for a user fro

[SSSD] Re: [PATCH] Do not crash if GetUserAttrs cannot be parsed

2016-05-05 Thread Jakub Hrozek
ve to translate the new error code back to EOK. Sorry, I totally forgot about these patches. Here you go.. >From d3b578dd84acd327f0f623ddb835cd031480bb0a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 27 Apr 2016 11:11:31 +0200 Subject: [PATCH 1/2] UTIL: Add ERR_SBUS_REQUEST_HANDLED

[SSSD] Re: [PATCH] RESPONDERS: Fix talloc context for negative cache

2016-05-02 Thread Jakub Hrozek
On Mon, May 02, 2016 at 10:47:50AM +0200, Pavel Březina wrote: > On 05/02/2016 08:53 AM, Petr Cech wrote: > > On 04/28/2016 01:41 PM, Pavel Březina wrote: > > > On 04/26/2016 09:38 AM, Petr Cech wrote: > > > > Hi list, > > > > > > > > this simple patch fixes talloc hierarchy in initializing negati

[SSSD] Re: Design document - sssctl

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 06:21:44AM +0530, Arpit Tolani wrote: > Hello Hi Arpit, thank you very much for checking the design document. > > Currently we mostly run > > # service sssd stop ; rm -rf /var/lib/sss/db/* /var/log/sssd/* ; service sssd > start Yes, we plan on implememting this. But a

[SSSD] [PATCH] SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user

2016-04-28 Thread Jakub Hrozek
alling the AuthorizedKeysCommand. >From 2a1eae3d00a85adaf66f2660489d0cbc028f4c9b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 28 Apr 2016 10:31:45 +0200 Subject: [PATCH] SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user If an IPA client uses the SSH integration and

[SSSD] [PATCH] MAN: Remove references to the obsolete PubkeyAgent ssh option

2016-04-27 Thread Jakub Hrozek
Hi, please see the attached trivial patch. The issue was reported by adelton on IRC. >From 979353eb20849f036522ce4f5edf28f5a989f886 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 27 Apr 2016 12:18:15 +0200 Subject: [PATCH] MAN: Remove references to the obsolete PubkeyAgent ssh opt

[SSSD] Re: [PATCH] Do not crash if GetUserAttrs cannot be parsed

2016-04-27 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 01:20:14PM +0200, Pavel Březina wrote: > On 04/20/2016 11:56 AM, Jakub Hrozek wrote: > > Hi Pavel, > > > > can you check if this is the right thing to do for methods that parse > > arguments on their own? > > > > To reproduce, it was

[SSSD] Re: [PATCH] MAN: Drop the reference to IPAv2 in the man page

2016-04-27 Thread Jakub Hrozek
On Mon, Mar 21, 2016 at 09:37:45AM +0100, Lukas Slebodnik wrote: > On (17/03/16 22:59), Jakub Hrozek wrote: > >a man page one liner :) > > > >No need to explicitly mention IPAv2, I hope there are no deployments of > >IPAv1 left anymore :) > > > >This

[SSSD] Re: [PATCH] LDAP: Print port in sdap_print_server

2016-04-27 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 05:04:21PM +0200, Lukas Slebodnik wrote: > On (22/04/16 15:57), Jakub Hrozek wrote: > >On Mon, Apr 11, 2016 at 03:35:52PM +0200, Jakub Hrozek wrote: > >> On Mon, Apr 11, 2016 at 02:58:06PM +0200, Lukas Slebodnik wrote: > >> > On (11/04

[SSSD] Re: Running tests with different environment

2016-04-27 Thread Jakub Hrozek
On Thu, Jan 28, 2016 at 05:12:40PM +0100, Jakub Hrozek wrote: > On Thu, Jan 28, 2016 at 04:19:25PM +0100, Lukas Slebodnik wrote: > > On (27/10/15 22:35), Lukas Slebodnik wrote: > > >On (27/10/15 17:57), Jakub Hrozek wrote: > > >>On Tue, Oct 27, 2015 at 05:42:

[SSSD] Re: [PATCHES] PAM: refactor pam_reply

2016-04-27 Thread Jakub Hrozek
On Mon, May 11, 2015 at 06:28:35PM +0200, Lukas Slebodnik wrote: > On (11/05/15 17:36), Pavel Reichl wrote: > >Rebased patch set is attached. > > Code coverage of function pam_reply was quite high > but it covered just part which was necessary for Sumit's work. > > I thought you would increase co

[SSSD] Re: [PATCH] LDAP: Print port in sdap_print_server

2016-04-22 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 05:04:21PM +0200, Lukas Slebodnik wrote: > On (22/04/16 15:57), Jakub Hrozek wrote: > >On Mon, Apr 11, 2016 at 03:35:52PM +0200, Jakub Hrozek wrote: > >> On Mon, Apr 11, 2016 at 02:58:06PM +0200, Lukas Slebodnik wrote: > >> > On (11/04

[SSSD] Re: [PATCH] IPA: terminate properly if view name lookup fails

2016-04-22 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 05:41:31PM +0200, Jakub Hrozek wrote: > On Fri, Apr 22, 2016 at 05:34:47PM +0200, Sumit Bose wrote: > > On Fri, Apr 22, 2016 at 05:17:29PM +0200, Jakub Hrozek wrote: > > > On Fri, Apr 22, 2016 at 05:03:06PM +0200, Lukas Slebodnik wrote: > > > &

[SSSD] Re: [PATCH] IPA: terminate properly if view name lookup fails

2016-04-22 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 05:34:47PM +0200, Sumit Bose wrote: > On Fri, Apr 22, 2016 at 05:17:29PM +0200, Jakub Hrozek wrote: > > On Fri, Apr 22, 2016 at 05:03:06PM +0200, Lukas Slebodnik wrote: > > > On (22/04/16 15:41), Jakub Hrozek wrote: > > > >On Tue, Apr 19, 2

[SSSD] Re: [PATCH] IPA: terminate properly if view name lookup fails

2016-04-22 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 05:03:06PM +0200, Lukas Slebodnik wrote: > On (22/04/16 15:41), Jakub Hrozek wrote: > >On Tue, Apr 19, 2016 at 04:11:54PM +0200, Sumit Bose wrote: > >> Hi, > >> > >> this is a follow-up patch to 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b75

[SSSD] Re: [PATCH] LDAP: Print port in sdap_print_server

2016-04-22 Thread Jakub Hrozek
On Mon, Apr 11, 2016 at 03:35:52PM +0200, Jakub Hrozek wrote: > On Mon, Apr 11, 2016 at 02:58:06PM +0200, Lukas Slebodnik wrote: > > On (11/04/16 13:39), Jakub Hrozek wrote: > > >On Mon, Apr 11, 2016 at 01:12:51PM +0200, Lukas Slebodnik wrote: > > >> ehlo, > > &

[SSSD] Re: [PATCH] intg: Use different uid range for add_remove tests

2016-04-22 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 01:35:03PM +0200, Petr Cech wrote: > On 04/20/2016 12:52 PM, Lukas Slebodnik wrote: > > On (20/04/16 12:36), Petr Cech wrote: > > > >On 04/18/2016 10:34 AM, Lukas Slebodnik wrote: > > > > >>ehlo, > > > > >> > > > > >>I use special local user for building srpms in mock > > >

[SSSD] Re: [PATCH] IPA: terminate properly if view name lookup fails

2016-04-22 Thread Jakub Hrozek
On Tue, Apr 19, 2016 at 04:11:54PM +0200, Sumit Bose wrote: > Hi, > > this is a follow-up patch to 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 > which removes another call to ipa_check_master() which might cause an > infinite loop on an IPA client if the server does not support views. > > Please not

[SSSD] Re: [PATCH] AD: use krb5_keytab for subdomain initialization

2016-04-22 Thread Jakub Hrozek
On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote: > Hi, > > this is a bit of a follow-up patch to "subdomains: inherit > ldap_krb5_keytab". It turned out that if the default keytab contains > some completely unrelated keys the SASL initialization might e.g. pick a > wrong realm name beca

[SSSD] Re: [PRELIMINARY] Data Provider changes

2016-04-22 Thread Jakub Hrozek
On Fri, Apr 22, 2016 at 09:07:09AM +0200, Lukas Slebodnik wrote: > On (21/04/16 18:10), Pavel Reichl wrote: > > > > > >On 04/21/2016 03:24 PM, Pavel Březina wrote: > >> Hi, > >> the data provider code is basically ready for someone to start looking > >> into it. I'm in the process of converting ol

[SSSD] Re: [PATCH SET} A new Secrets service

2016-04-21 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 02:58:36PM -0400, Simo Sorce wrote: > On Wed, 2016-04-20 at 19:58 +0200, Lukas Slebodnik wrote: > > On (20/04/16 17:21), Jakub Hrozek wrote: > > >On Wed, Apr 20, 2016 at 09:59:19AM -0400, Simo Sorce wrote: > > >> On Wed, 2016-04-20 at 1

[SSSD] Re: [PATCH SET} A new Secrets service

2016-04-20 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 09:59:19AM -0400, Simo Sorce wrote: > On Wed, 2016-04-20 at 14:16 +0200, Jakub Hrozek wrote: > > On Tue, Apr 05, 2016 at 02:54:10PM -0400, Simo Sorce wrote: > > > On Tue, 2016-04-05 at 12:57 -0400, Simo Sorce wrote: > > > > Thanks, IIRC

[SSSD] Re: [PATCH SET} A new Secrets service

2016-04-20 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 09:57:03AM -0400, Simo Sorce wrote: > On Wed, 2016-04-20 at 11:55 +0200, Jakub Hrozek wrote: > > On Tue, Apr 05, 2016 at 02:54:10PM -0400, Simo Sorce wrote: > > > On Tue, 2016-04-05 at 12:57 -0400, Simo Sorce wrote: > > > > Thanks, IIRC

[SSSD] Re: [PATCH SET} A new Secrets service

2016-04-20 Thread Jakub Hrozek
On Wed, Apr 20, 2016 at 09:43:05AM -0400, Simo Sorce wrote: > On Wed, 2016-04-20 at 11:12 +0200, Jakub Hrozek wrote: > > On Wed, Apr 20, 2016 at 10:32:59AM +0200, Jakub Hrozek wrote: > > > > > From 0dff46755af6063ed4b0339020ae5bb686692de1 Mon Sep 17 00:00:00 2001 &g

<    2   3   4   5   6   7   8   9   10   11   >