Re: [SSSD] [PATCH] add pysss.getgrouplist(username)

[Alexander Bokovoy]

On Fri, 19 Jul 2013, Jakub Hrozek wrote:
On Fri, Jul 19, 2013 at 04:29:37PM +0300, Alexander Bokovoy wrote:
Hi!
Apparently, getgrouplist(3) call is not available in Python older than
Python 3.3. So I agreed with Jakub to have it bound to pysss Python
module. We need this call to obtain list of groups trusted domain user
belongs to for HBAC testing in FreeIPA.

Additionally, I've fixed bug with linking of pysss. This patch is
relevant to 1.10 as well, while the first one is needed in sssd 1.11.


--
/ Alexander Bokovoy

Subject: [PATCH 1/2] build: fix dependencies for pysss module
Ack

Subject: [PATCH 2/2] pysss: add pysss.getgrouplist(username)

I would just like to amend the doctext to make it clear that this is
just a system wrapper and not limited to users served by the sssd. See
the attached patch, I'd like to squash it before pushing.

From a4b19b4b0e5d1e9b088059fc77f01e07d2407ca0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 19 Jul 2013 16:52:11 +0200
Subject: [PATCH] Amend the doctext

---
src/python/pysss.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/src/python/pysss.c b/src/python/pysss.c
index 
a2924ff32575e1d41a776769720129b42de860da..6ae9a25268e632817311ff3cf0cb9354d99b5be3
 100644
--- a/src/python/pysss.c
+++ b/src/python/pysss.c
@@ -751,6 +751,8 @@ fail:
 */
PyDoc_STRVAR(py_sss_getgrouplist__doc__,
    "Get list of groups user belongs to.\n\n"
+    "NOTE: The interface uses the system NSS calls and is not limited to "
+    "users served by the SSSD!\n"
    ":param username: name of user to get list for\n");

static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args)
ACK.

However, when testing this all with new FreeIPA code, I've found
following issue: in ipa_server_mode = True I'm getting getgrgid(UPG) to
return NULL (and my code in pysss_getgrouplist crashes). UPG here is a user 
private group.

(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_message_handler] 
(0x4000): Received SBUS method [getAccountInfo]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [be_get_account_info] (0x0100): 
Got request for [4098][1][idnumber=1442800500]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x7f0338945b80
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x7f033897a450
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Running timer event 
0x7f0338945b80 "ltdb_callback"
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Destroying timer event 
0x7f033897a450 "ltdb_timeout"
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Ending timer event 
0x7f0338945b80 "ltdb_callback"
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_groups_next_base] 
(0x0400): Searching for groups with base [cn=accounts,dc=lvee,dc=ipa]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] (0x0400): 
calling ldap_search_ext with 
[(&(gidNumber=1442800500)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=lvee,dc=ipa].
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [objectClass]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [cn]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [userPassword]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [gidNumber]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [member]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [nsUniqueId]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [modifyTimestamp]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [entryUSN]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
(0x2000): ldap_search_ext called, msgid = 35
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] (0x2000): 
Trace: sh[0x7f033893bc20], connected[1], ops[0x7f0338979900], 
ldap[0x7f0338919400]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_done] 
(0x0400): Search result: Success(0), no errmsg set
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_groups_process] 
(0x0400): Search for groups, returned 0 results.
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_id_op_done] (0x4000): 
releasing operation connection
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [acctinfo_callback] (0x0100): 
Request processed. Returned 0,0,Success
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] (0x2000): 
Trace: sh[0x7f033893bc20], connected[1], ops[(nil)], ldap[0x7f0338919400]
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] (0x2000): 
Trace: ldap_result found nothing!
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_dispatch] (0x4000): dbus 
conn: 7F0338931050
(Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_dispatch] (0x4000): 
Dispatching.


Also this:
$ python
Python 2.7.5 (default, Jul  8 2013, 09:48:59) 
[GCC 4.8.1 20130603 (Red Hat 4.8.1-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import grp
grp.getgrname("1442800500")                                                                                                                               
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'getgrname'
grp.getgrnam("1442800500")                                                                                                                                
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'getgrnam(): name not found: 1442800500'
grp.getgrnam("administra...@ad.lan")                                                                                                                      
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'getgrnam(): name not found: administra...@ad.lan'
import pwd
pwd.getpwnam("1442800500")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'getpwnam(): name not found: 1442800500'
pwd.getpwnam("administra...@ad.lan")
pwd.struct_passwd(pw_name='administra...@ad.lan', pw_passwd='*',
pw_uid=1442800500, pw_gid=1442800500, pw_gecos='Administrator',
pw_dir='/', pw_shell='')

--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel