subj says it all,
bug: https://fedorahosted.org/sssd/ticket/2924
I have compiled and run make check|intgcheck but "not" actively tested
this patch.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 73bc4d73e84c298de94dd269039310a87305fe5c Mon Sep 17 00:00:00 2001
From: Simo S
On Thu, 2016-01-14 at 12:41 +0100, Jakub Hrozek wrote:
> On Wed, Jan 13, 2016 at 02:56:25PM -0500, Simo Sorce wrote:
> > subj says it all,
> > bug: https://fedorahosted.org/sssd/ticket/2924
> >
> > I have compiled and run make check|intgcheck but "not" activ
On Thu, 2016-01-14 at 17:30 +0100, Jakub Hrozek wrote:
> On Thu, Jan 14, 2016 at 11:03:51AM -0500, Simo Sorce wrote:
> > On Thu, 2016-01-14 at 12:41 +0100, Jakub Hrozek wrote:
> > > On Wed, Jan 13, 2016 at 02:56:25PM -0500, Simo Sorce wrote:
> > > > subj s
.c:24:0:
> >/home/pbrezina/workspace/sssd/src/util/util.h:62:0: note: this is the
> >location of the previous definition
> > #define SSS_ATTRIBUTE_PRINTF(a1, a2) __attribute__ ((format (printf, a1,
> >a2)))
> >
> I might add another #ifdef guard but I decided to rename macro
>
Found this while working on another patch.
It is not evident by this patch alone but ... "trust me" :-)
(I'll send the other patch next, try to apply just that one and see what
I mean if you want)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 64c71d6fdd57527af607a61f32c7e
.
--
Simo Sorce * Red Hat, Inc * New York
From 7cc82eff48dabc4b15e119146f36597f4cd75827 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 18 Jan 2016 15:21:57 -0500
Subject: [PATCH] Util: Improve code to get connection credentials
Adds support to get SELINUX context and make code more abstract
On Tue, 2016-01-19 at 09:46 +0100, Lukas Slebodnik wrote:
> On (18/01/16 18:03), Simo Sorce wrote:
> >Found this while working on another patch.
> >
> >It is not evident by this patch alone but ... "trust me" :-)
> >(I'll send the other patch next, try to
On Tue, 2016-01-19 at 02:54 +0100, Michal Židek wrote:
> On 01/19/2016 12:03 AM, Simo Sorce wrote:
> > Found this while working on another patch.
> >
> > It is not evident by this patch alone but ... "trust me" :-)
> > (I'll send the other patch next, try
cating it, I guess I can do that, the headers file would still be
needed in order to avoid huge ifdefs around the functions that implement
handling SELinux stuff. It makes the code a lot more readable and
searchable.
Simo.
--
Simo Sorce * Red Hat, In
murmur hash, is it not ?
Are slices selected linearly as a first come - first serve basis ?
That is not workable, the code must try *hard* to come up with the same
slices regardless of the order in which users "appear".
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
On Tue, 2016-01-19 at 17:06 +0100, Lukas Slebodnik wrote:
> On (19/01/16 16:47), Michal Židek wrote:
> >On 01/19/2016 04:28 PM, Simo Sorce wrote:
> >>On Tue, 2016-01-19 at 02:54 +0100, Michal Židek wrote:
> >>>On 01/19/2016 12:03 AM, Simo Sorce wrote:
> >&g
On Tue, 2016-01-19 at 20:20 +0100, Lukas Slebodnik wrote:
> On (19/01/16 11:30), Simo Sorce wrote:
> >On Tue, 2016-01-19 at 17:06 +0100, Lukas Slebodnik wrote:
> >> On (19/01/16 16:47), Michal Židek wrote:
> >> >On 01/19/2016 04:28 PM, Simo Sorce wrote:
> >&
On Tue, 2016-01-19 at 10:34 -0500, Simo Sorce wrote:
> On Tue, 2016-01-19 at 11:23 +0100, Lukas Slebodnik wrote:
> [...]
> > >+#endif /* __SSSD_UTIL_SELINUX_H__ */
> > BTW will we need this header file if we make
> > struct cli_creds opaque?
>
> Replying
On Wed, 2016-01-20 at 16:38 +0100, Lukas Slebodnik wrote:
> On (19/01/16 15:38), Simo Sorce wrote:
> >On Tue, 2016-01-19 at 10:34 -0500, Simo Sorce wrote:
> >> On Tue, 2016-01-19 at 11:23 +0100, Lukas Slebodnik wrote:
> >> [...]
> >> > >+#endif /* __SSSD_U
On Sat, 2016-01-16 at 12:33 +0100, Lukas Slebodnik wrote:
> On (15/01/16 16:09), Simo Sorce wrote:
> >On Fri, 2016-01-15 at 12:44 +0100, Lukas Slebodnik wrote:
> >> On (15/01/16 12:03), Pavel Březina wrote:
> >> >On 01/12/2016 10:15 AM, Lukas Slebodnik wrote:
> &
Expired != Disabled
this change is intentional.
Simo.
- Original Message -
> From: "Lukas Slebodnik"
> To: "Development of the System Security Services Daemon"
>
> Cc: "Simo Sorce"
> Sent: Friday, January 29, 2016 9:22:23 AM
> Sub
On Thu, 2016-01-28 at 11:24 +0100, Lukas Slebodnik wrote:
> On (27/01/16 16:30), Nikolai Kondrashov wrote:
> > On 01/27/2016 04:17 PM, Lukas Slebodnik wrote:
> > > You mention many options which could be possibly passed to tlog.
> > > e.g.
> > > TLOG_REC_CONF='{
> > > "shell":"/bin/
; > replace_script = \
> >@@ -3444,7 +3450,9 @@ replace_script = \
> >
> > EXTRA_DIST += \
> > src/sysv/systemd/sssd.service.in \
> >-src/sysv/systemd/journal.conf.in
> >+src/sysv/systemd/journal.conf.in \
> >+src/examples/sssd_localauth.conf.in \
> >+$(NULL)
> >
> > src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
> > @$(MKDIR_P) src/sysv/systemd/
> >@@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf:
> >src/sysv/systemd/journal.conf.in Makefile
> > @$(MKDIR_P) src/sysv/systemd/
> > $(replace_script)
> >
> >+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in
> >Makefile
> >+@$(MKDIR_P) src/examples/
> >+$(replace_script)
> >+
> > SSSD_USER_DIRS = \
> > $(DESTDIR)$(dbpath) \
> > $(DESTDIR)$(keytabdir) \
> >@@ -3662,6 +3674,7 @@ endif
> > rm -Rf ldb_mod_test_dir
> > rm -f $(builddir)/src/sysv/systemd/sssd.service
> > rm -f $(builddir)/src/sysv/systemd/journal.conf
> >+rm -f $(builddir)/src/examples/sssd_localauth.conf
> >
> > CLEANFILES = *.X */*.X */*/*.X
> >
> >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
> >index
> >9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b
> > 100644
> >--- a/contrib/sssd.spec.in
> >+++ b/contrib/sssd.spec.in
> >@@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT
> > %endif
> > %if (0%{?with_krb5_localauth_plugin} == 1)
> > %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
> >+%if (0%{?fedora} >= 23)
> >+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf
> >+%endif
> Simo,
> Last week you mentioned that pacakges should not ship
> snippet files in /etc/krb5.conf.d/
>
> As you can see we plan to do it but users can change it
> due to %config(noreplace).
>
> Are you still think it is not a good idea?
> If you do not like it do you have an alternative solution for
> Fedora BZ1145788?
Not a good idea,
the configuration tool should drop there the snippet when it joins a
domain, or perhaps sssd should drop it there at startup (if not already
there) when it knows it can provide information to krb5.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
quot;Cannot retrieve ppolicy\n");
> >+ret = ERR_NETWORK_IO;
> >+goto done;
> >+ }
> >+
> > talloc_zfree(subreq);
> ACK
Not a big deal but we used to talloc_zfree() as the first thing, before
checking (and eventually failing) the return err
On Tue, 2014-09-09 at 10:46 +0200, Jakub Hrozek wrote:
> On Mon, Sep 08, 2014 at 05:09:11PM -0400, Simo Sorce wrote:
> > On Mon, 2014-09-08 at 20:36 +0200, Lukas Slebodnik wrote:
> > > On (08/09/14 20:31), Jakub Hrozek wrote:
> > > >Reported b
s.
> >For this purpose, we have functions in file src/tests/leak_check.c
We could include valgrind.h in the build and let it understand talloc,
we do that in samba. It is better then custom build checkers usually,
and avoids the need to go on the anti-pattern of creating contexts on
NULL.
Simo.
> >---
> Can we get it merged? If not, then why?
>
> Thank you.
>
> LS
> ___
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Tue, 16 Sep 2014 23:28:04 +0200
Lukas Slebodnik wrote:
> On (16/09/14 17:00), Simo Sorce wrote:
> >On Tue, 16 Sep 2014 21:53:56 +0200
> >Lukas Slebodnik wrote:
> >
> >> On (02/09/14 15:38), Lukas Slebodnik wrote:
> >> >On (02/09/14 14:23), Nikolai Ko
e to access
> > DOMAIN.THEY.SHOULD.NOT.KNOW.ABOUT and all other users are only able
> > to access the public domain.
> >
> > Makes sense?
>
> Simo, does the design page reflect the discussion accurately? Can we
> start on the implementation?
Yes I made a minor edit to the password change clause, should we add a
test point about it too ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Tue, 23 Sep 2014 15:39:19 +0200
Jakub Hrozek wrote:
> On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > > Simo, does the design page reflect the discussion accurately? Can
> > > we start on the implementation?
> >
> > Yes I made a minor e
On Tue, 23 Sep 2014 16:54:45 +0200
Jakub Hrozek wrote:
> On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
> > On Tue, 23 Sep 2014 15:39:19 +0200
> > Jakub Hrozek wrote:
> >
> > > On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > >
On Mon, 29 Sep 2014 15:28:28 +0200
Jan Pazdziora wrote:
> On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
> >
> > I would defer this to when we have actual requests for it.
> > I am not necessarily opposed but it will be confusing. You see a
> > list of d
on fedora 21
> https://kojipkgs.fedoraproject.org//packages/sssd/1.12.1/2.fc21/data/logs/x86_64/build.log
> If you have better idea how to fix this warning I will be glad to
> review your patch.
>
> LS
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
not in the allowed_shells list and not in
“/etc/shells”, a nologin shell is used.
A '*' could be used seem the only option to implement your idea.
Another option would be to say:
If you define shell_fallback and allowed_shells includes it then
instead of returning nologin
- Original Message -
> From: "Lukas Slebodnik"
> To: "Simo Sorce"
> Cc: sssd-devel@lists.fedorahosted.org
> Sent: Thursday, October 2, 2014 4:20:56 PM
> Subject: Re: [SSSD] [PATCH] Suppress warning maybe-uninitialized
>
> On (02/10/14 15:12), S
* schema */
I still think adding ai > 0 to the condition would better reflect the
existing code behavior, but I won't insist if nobody else cares.
Otherwise Ack.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-de
e that I'm not sure if PAM
> modules are loaded on every PAM conversation or not. If they
> stay loaded for the duration of the application (like the
> NSS module), then this option is not viable at all.
Pam modules are reloaded at each use, but you do not know how lo
mmitted to master ?
Why do we need this function when we can call directly getpwnam() ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
hen running as root ignore file permission checks because */
check_uid = geteuid();
check_gid = getegid();
if (check_uid == 0) check_uid = -1;
if (check_gid == 0) check_gid = -1;
...
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing li
>
> ret = EOK;
I wonder if we shouldn't be more cautious here.
Do we need to give the sssd user write access ?
I think probably not, sounds like a great way to prevent "accidental"
changes would be to chown to (0, gid) and chmod so that the group can
only
the SSSD, so I'd like to request a very careful review.
Aside from the points raised in the emails already sent the rest looks
good to me.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedor
hat could be compared to 1.9.6 quality-wise.
+1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Thu, 16 Oct 2014 10:23:35 +0200
Jakub Hrozek wrote:
> On Wed, Oct 15, 2014 at 06:17:55PM -0400, Simo Sorce wrote:
> > On Wed, 15 Oct 2014 22:24:04 +0200
> > Jakub Hrozek wrote:
> >
> > > From c0385561ee5e9d050daa43ebf46514f37dad Mon Sep 17 00:00:00
ould get rid of the variables and either use a parameter
> (--default-realm) or just pass the info through the pipe..
Yes and we should use secure_getent() throughout the code or we risk
opening up attacks against setuid binaries.
Simo.
--
Simo Sorce * Red Hat,
On Fri, 17 Oct 2014 18:47:28 +0200
Jakub Hrozek wrote:
> On Thu, Oct 16, 2014 at 10:25:12AM +0200, Jakub Hrozek wrote:
> > On Wed, Oct 15, 2014 at 06:19:49PM -0400, Simo Sorce wrote:
> > > On Wed, 15 Oct 2014 22:24:04 +0200
> > > Jakub Hrozek wrote:
> > >
>
> But I don't think we can do backwards-incompatible changes so easily
> now. It's completely out of question for a minor update (1.12.x) and
> must be handled with extreme care in major update (1.13).
>
> Additionally, we already detect search bases and o
der internals
> outside the provider code.
>
> Simo, I CC-ed you directly because I know you prefer to be aware of
> changes to the data_provider_be.c module. Do you agree with this plan?
Are we sure we will be able to meaningfully separate "privileged
initialization" from
So the only advantage we'd gain is that code that drops privileges
> could be offloaded to libcap that is used and tested by other
> projects, too. But given that we'd keep our code around, too, for
> minimal environments (we have users running sssd on embedded systems
> where
roups are resolvable in the groups cache ?
Or is it ok if gids returned by the getgrouplist are not immediately
available in the groups cache ?
What about the user ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel
On Mon, 3 Nov 2014 15:41:43 +0100
Jakub Hrozek wrote:
> On Mon, Nov 03, 2014 at 08:53:06AM -0500, Simo Sorce wrote:
> > On Mon, 3 Nov 2014 13:57:08 +0100
> > Jakub Hrozek wrote:
> >
> > > Hi,
> > >
> > > we had short discussion on $SUBJE
On Mon, 3 Nov 2014 16:08:16 +0100
Jakub Hrozek wrote:
> On Sat, Nov 01, 2014 at 05:21:51PM -0400, Simo Sorce wrote:
> > On Sat, 1 Nov 2014 17:24:53 +0100
> > Jakub Hrozek wrote:
> >
> > > On Wed, Jul 23, 2014 at 03:38:13PM +0200, Jakub Hrozek wrote:
> >
oviders/krb5/krb5_child_handler.c +++
> b/src/providers/krb5/krb5_child_handler.c @@ -284,14 +284,6 @@ static
> errno_t fork_child(struct tevent_req *req) pid = fork();
>
> if (pid == 0) { /* child */
> -if (state->kr->run_as_user) {
> -ret = become_
same checks as
ERR_CREDS_EXPIRED, why (and why does it need to be different) ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
on and fewer indentation levels.
> > > >
> > > > Thank you for the review.
> > >
> > > Hi,
> > >
> > > attached patches fix make distcheck issue. There are no changes
> > > in the code itself.
> >
> > Hi,
> >
> > attached are rebased patches. Again, there is no change in the code
> > itself.
> >
> > I'm still looking for a reviewer ...
>
> Simo,
>
> in this thread are the patches I pinged you about earlier today on
> IRC. I'm sorry I wasn't able for interactive discussion today, but if
> you have the time, do you agree with the general direction the
> patches are taking?
>
> I understand you don't have the time for testing etc. but an
> architectural blessing would help as well.
>
> Thanks!
Comments sent to the list per patch, I think I have no other comments
on the patchset.
Thank you,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Thu, 6 Nov 2014 22:02:29 +0100
Niels de Vos wrote:
> On Thu, Nov 06, 2014 at 11:45:18PM +0530, Vijay Bellur wrote:
> > On 11/03/2014 08:12 PM, Jakub Hrozek wrote:
> > >On Mon, Nov 03, 2014 at 03:41:43PM +0100, Jakub Hrozek wrote:
> > >>On Mon, Nov 03, 2014 a
On Fri, 7 Nov 2014 09:59:32 +0100
Niels de Vos wrote:
> On Thu, Nov 06, 2014 at 05:32:53PM -0500, Simo Sorce wrote:
> > On Thu, 6 Nov 2014 22:02:29 +0100
> > Niels de Vos wrote:
> >
> > > On Thu, Nov 06, 2014 at 11:45:18PM +0530, Vijay Bellur wrote:
> > >
On Mon, 10 Nov 2014 17:12:55 +0100
Jakub Hrozek wrote:
> On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote:
> > On Wed, 5 Nov 2014 18:36:06 +0100
> > Jakub Hrozek wrote:
> >
> > > From 1afae1740eb9bf232c33dba77f643f88d0eeb7a3 Mon Sep 17 00:00:00
On Mon, 10 Nov 2014 17:44:48 +0100
Jakub Hrozek wrote:
> On Mon, Nov 10, 2014 at 11:37:41AM -0500, Simo Sorce wrote:
> > On Mon, 10 Nov 2014 17:12:55 +0100
> > Jakub Hrozek wrote:
> >
> > > On Thu, Nov 06, 2014 at 10:21:17AM -0500, Simo Sorce wrote:
> > &
On Mon, 10 Nov 2014 16:56:22 -0500 (EST)
Roland Mainz wrote:
>
>
> - Original Message -
> > From: "Simo Sorce"
> > To: "Niels de Vos"
> > Cc: gluster-de...@gluster.org, sssd-devel@lists.fedorahosted.org,
> > "Vijay Bellur&q
;
> LS
>
> ___
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>
--
Simo Sorce * Red Hat, Inc. * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Wed, 12 Nov 2014 16:36:00 +0100
Lukas Slebodnik wrote:
> On (12/11/14 10:00), Simo Sorce wrote:
> >I would create a helper function to be called on return that
> >transforms the error accordingly. This will allow to write the code
> >_and_ the comment once.
> >
>
On Thu, 13 Nov 2014 10:44:45 +0100
Jakub Hrozek wrote:
> On Wed, Nov 12, 2014 at 08:04:46PM -0500, Simo Sorce wrote:
> > On Wed, 12 Nov 2014 16:36:00 +0100
> > Lukas Slebodnik wrote:
> >
> > > On (12/11/14 10:00), Simo Sorce wrote:
> > > >I would creat
On (13/11/14 10:44), Jakub Hrozek wrote:
> > >> >On Wed, Nov 12, 2014 at 08:04:46PM -0500, Simo Sorce wrote:
> > >> >> On Wed, 12 Nov 2014 16:36:00 +0100
> > >> >> Lukas Slebodnik wrote:
> > >> >>
> > >> >> &
we do not even need a setuid helper to create
a new file. Just write a new one as sssd.sssd then ask the monitor to
atomically rename it on top of the existing one (the monitor runs as
root), change the perms to root.root and regenerate the confdb (as
long as we do this).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
uld be to intercept unix socket calls in socket wrapper
too, and redirect them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Thu, 27 Nov 2014 09:25:09 -0500
Simo Sorce wrote:
> On Thu, 27 Nov 2014 15:09:32 +0200
> Nikolai Kondrashov wrote:
>
> > Hi everyone,
> >
> > While trying to arrange running sssd under cwrap in "make check" I
> > came upon this roadblock:
>
tive paths
> which are better suited for the tests?
I do something like that (binary patching) here:
https://fedorapeople.org/cgit/simo/public_git/gss-proxy.git/tree/proxy/tests/runtests.py#n238
Works ok :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
le char.
This way you could, in theory, use utf-8 multibyte chars, it also means
some people may decide to use multiple chars as a separtor (like := ),
not sure if this is a problem or an advantage.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
On Mon, 1 Dec 2014 09:27:11 +0100
Lukas Slebodnik wrote:
> On (29/11/14 23:32), Simo Sorce wrote:
> >On Fri, 28 Nov 2014 12:01:29 +0100
> >Sumit Bose wrote:
> >
> >> On Thu, Nov 27, 2014 at 03:09:32PM +0200, Nikolai Kondrashov wrote:
> >> > Hi everyo
's worth it, but I think we shouldn't discount the
> need to add more such mappings and the growing number of options in
> the future.
If there were a good reason sure, but making something neater is not a
good reason to break configuration files, or ma
nd then fail spectacularly when there are actually 100K
users in the directory.
> - SSSD should have a configuration option that specifies how short
> the filter can be - default 3 characters (number of characters
> without asterisk). If application provided a shorter filter becuase
>
On Wed, 07 Jan 2015 15:25:30 -0500
Dmitri Pal wrote:
> On 01/07/2015 03:05 PM, Simo Sorce wrote:
> > On Tue, 06 Jan 2015 09:59:08 -0500
> > Dmitri Pal wrote:
> >
> >> On 01/06/2015 05:54 AM, Jakub Hrozek wrote:
> >>> On Tue, Jan 06, 2015 at 11:31:55AM +
On Wed, 07 Jan 2015 16:03:38 -0500
Dmitri Pal wrote:
> On 01/07/2015 03:41 PM, Simo Sorce wrote:
> > On Wed, 07 Jan 2015 15:25:30 -0500
> > Dmitri Pal wrote:
> >
> >> On 01/07/2015 03:05 PM, Simo Sorce wrote:
> >>> On Tue, 06 Jan 2015 09:59:08 -0500
&
not) but the assignment would be safe and
the compiler can optimize it out if the variable is not used further or
internally no assignment ever happens.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
ry special case, we may want
an env var that allows the code to relax permission/ownership checking
on the config file.
I do not generally like magic env variables, and we should have an
option to compile this support out perhaps, but I see no other sane way
short of intercepting stat() and faki
On Thu, 15 Jan 2015 12:39:35 +0200
Nikolai Kondrashov wrote:
> On 01/14/2015 05:00 PM, Nikolai Kondrashov wrote:
> > On 01/14/2015 04:48 PM, Simo Sorce wrote:
> >> On Wed, 14 Jan 2015 16:08:33 +0200
> >> Nikolai Kondrashov wrote:
> >>> On 01/13/2015 02:31
On Thu, 15 Jan 2015 19:43:18 +0200
Nikolai Kondrashov wrote:
> On 01/15/2015 06:41 PM, Simo Sorce wrote:
> > On Thu, 15 Jan 2015 12:39:35 +0200
> > Nikolai Kondrashov wrote:
> >
> >> On 01/14/2015 05:00 PM, Nikolai Kondrashov wrote:
> >>> On 01/14/2015
was simple and so I am
throwing it here for consideration.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From cd2ed8cd14f3d113345a7c9e2271d9ffa38afbe1 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Wed, 25 Mar 2015 10:52:43 -0400
Subject: [PATCH] BUILD: Use pkg-config for krb5
Since a
On Wed, 2015-03-25 at 16:33 +0100, Lukas Slebodnik wrote:
> On (25/03/15 11:15), Simo Sorce wrote:
> >Hello team!
> >So ... :)
> >... yesterday I had to work around a bug in the rawhide build of libkrb5
> >that rendered krb5-config buggy and broke gssproxy 0.4.0 build.
he database, only to not return them
to the userspace. So perhaps we should just care about expiration times,
and if nothing (enumeration or direct lookup) refreshes the user then we
just do not return it on enumeration. That would probably be sufficient.
Space is not always cheap, but i
er
> only.
>
> === Future work ===
> Handling failover and offline status on per-domain basis instead of
> per-backend basis should be done in the next release.
>
> === Configuration changes ===
> none
>
> === How To Test ===
> Establish a one-way trust relationship with an AD domain. Make sure both
> IPA and AD users are resolvable. It's prudent to test combinations of
> one-way and two-way trusts with different forests. Make sure removing a
> trust relationship removes the keytab from the filesystem. Make sure that
> SSSD handles re-establishing a trust relationship.
>
> === Authors ===
> * Jakub Hrozek
Good job.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
og in but even off
> line log in.
> 2) I could introduce SYSDB_LAST_ONLINE_AUTH_WITH_CURRENT_TOKEN that
> would behave as SYSDB_LAST_ONLINE_AUTH but could be set to 0 as proposed
> in 1)
> >
> > Please add test with wrong password as well to chec
On Mon, 2015-04-27 at 15:04 +0300, Alexander Bokovoy wrote:
> On Mon, 27 Apr 2015, Jakub Hrozek wrote:
> >On Sun, Apr 26, 2015 at 06:17:21PM -0400, Simo Sorce wrote:
> >> Very nice writeup!
> >> A few comments..
> >>
> >> On Sun, 2015-04-26
On Mon, 2015-04-27 at 18:41 +0300, Alexander Bokovoy wrote:
> On Mon, 27 Apr 2015, Simo Sorce wrote:
> >On Mon, 2015-04-27 at 15:04 +0300, Alexander Bokovoy wrote:
> >> On Mon, 27 Apr 2015, Jakub Hrozek wrote:
> >> >On Sun, Apr 26, 2015 at 06:17:21PM -0400, Simo
I don't feel quite confident to push right away. It
> would be nice if another developer more proficient with autotools would
> ack as well.
>
> Thanks for the patch! I'm sure that user of embedded systems would love
> the decrease in size.
Looks good to me too.
Ac
ase where it would return
the wrong result is in case the hbac search base was missing and we
still got this far somehow.
So please check carefully.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 644b45cfb7db4617059d3d4ad2ad1779d850db9c Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Sun
On Mon, 2013-03-04 at 12:49 +0100, Pavel Březina wrote:
> On 02/27/2013 03:52 PM, Simo Sorce wrote:
> >
> > Rebased patch so that it applies on top of master + krb5 child
> > refactoring rebased patch.
> >
> > Simo.
>
> Hi,
> while reviewing subsequent p
On Mon, 2013-03-04 at 13:10 +0100, Pavel Březina wrote:
> On 02/28/2013 12:29 AM, Simo Sorce wrote:
> > This patch removes yet another set of custom and parallel error codes
> > specified in the sdap_result enumeration, and instead uses the new
> > unified error codes.
On Mon, 2013-03-04 at 13:29 -0500, Simo Sorce wrote:
> On Mon, 2013-03-04 at 13:10 +0100, Pavel Březina wrote:
> > On 02/28/2013 12:29 AM, Simo Sorce wrote:
> > > This patch removes yet another set of custom and parallel error codes
> > > specified in the sdap_result en
On Mon, 2013-03-04 at 09:39 -0500, Simo Sorce wrote:
> On Mon, 2013-03-04 at 12:49 +0100, Pavel Březina wrote:
> > On 02/27/2013 03:52 PM, Simo Sorce wrote:
> > >
> > > Rebased patch so that it applies on top of master + krb5 child
> > > refactoring rebased
On Mon, 2013-03-04 at 12:20 -0500, Lukas Slebodnik wrote:
> A simple fix of ticket https://fedorahosted.org/sssd/ticket/1812
ACK.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
ht
Thanks to Stephen for pointing out the flaw.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From e8179af19debdac179747bbdeaccb6b3a0c47a50 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 5 Mar 2013 10:12:10 -0500
Subject: [PATCH] Improve IS_SSSD_ERROR() macro
We need to mask the fi
On Tue, 2013-03-05 at 16:36 +0100, Michal Židek wrote:
> https://fedorahosted.org/sssd/ticket/1765
>
> Patch is in attachment.
ACK.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.
On Tue, 2013-03-05 at 11:21 -0500, Stephen Gallagher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue 05 Mar 2013 11:11:28 AM EST, Simo Sorce wrote:
> > Thanks to Stephen for pointing out the flaw.
> >
>
> Would you mind updating the commit mess
On Wed, 2013-03-06 at 17:09 +0100, Michal Židek wrote:
> https://fedorahosted.org/sssd/ticket/1826
>
> See commit message.
It would be better if you can use a destructor attached to the mc_ctx
so any other path where we need to free it is automatically covered.
Simo.
--
Simo Sorce
On Wed, 2013-03-06 at 19:33 +0100, Michal Židek wrote:
> On 03/06/2013 07:27 PM, Michal Židek wrote:
> > On 03/06/2013 07:18 PM, Michal Židek wrote:
> >> On 03/06/2013 06:33 PM, Simo Sorce wrote:
> >>> On Wed, 2013-03-06 at 17:09 +0100, Michal Židek wrote:
> &
On Wed, 2013-03-06 at 23:19 +0100, Michal Židek wrote:
> On 03/06/2013 08:13 PM, Simo Sorce wrote:
> > On Wed, 2013-03-06 at 19:33 +0100, Michal Židek wrote:
> >> On 03/06/2013 07:27 PM, Michal Židek wrote:
> >>> On 03/06/2013 07:18 PM, Michal Židek wrote:
> >&g
On Thu, 2013-03-07 at 03:15 +0100, Michal Židek wrote:
> On 03/07/2013 12:02 AM, Simo Sorce wrote:
> > On Wed, 2013-03-06 at 23:19 +0100, Michal Židek wrote:
> >> On 03/06/2013 08:13 PM, Simo Sorce wrote:
> >>> On Wed, 2013-03-06 at 19:33 +0100, Michal Židek wrote:
the unlink in the destructor ...
Simo.
>
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
atter, then we
> can probably just maintain a hash table in the plugin to store the
> conversions for the life of the helper app. If it's possible that the
> app may be long-running, then we probably need to make sure to set a
> lifetime on the in-memory cache entries.
The cifs.up
On Thu, 2013-03-07 at 15:02 +0100, Michal Židek wrote:
> On 03/07/2013 02:42 PM, Simo Sorce wrote:
> > On Thu, 2013-03-07 at 13:44 +0100, Michal Židek wrote:
> >> Ok :)
> >> So I removed the unlink() from destructor (and the sss_mc_set_recycled
> >> with it)
o realized this is probably incorrect, you should test
mc_ctx->file not mc_ctx->fd
I also see we have a minor issue in sss_mc_create_file(), we should
probably remove close()/unlink() as well from the error condition in
case sss_br_lock_file() fails, or at the very least set fd = -1 and fil
On Thu, 2013-03-07 at 15:46 +0100, Michal Židek wrote:
> On 03/07/2013 03:22 PM, Simo Sorce wrote:
> > On Thu, 2013-03-07 at 15:02 +0100, Michal Židek wrote:
> >> +/* Closing the file descriptor and ummaping the file
> >> + * from memory is do
On Thu, 2013-03-07 at 17:44 +0100, Michal Židek wrote:
> On 03/07/2013 04:19 PM, Simo Sorce wrote:
> > On Thu, 2013-03-07 at 15:46 +0100, Michal Židek wrote:
> >> On 03/07/2013 03:22 PM, Simo Sorce wrote:
> >>> On Thu, 2013-03-07 at 15:02 +0100, Michal Židek wrote:
itted anymore as sss_auth_token is opaque. See src/util/authotk.h
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Fri, 2013-03-08 at 15:41 +0100, Jakub Hrozek wrote:
> On Fri, Mar 08, 2013 at 09:02:02AM -0500, Simo Sorce wrote:
> > On Fri, 2013-03-08 at 13:09 +0100, Jakub Hrozek wrote:
> > > In general in code that uses talloc, functions that return an
> > > allocated
> >
301 - 400 of 1853 matches
Mail list logo
