Re: [SSSD] [PATCH] Make use of failover code in backends.
On Fri, Nov 20, 2009 at 08:59:49AM -0500, Simo Sorce wrote: On Fri, 2009-11-20 at 12:23 +0100, Sumit Bose wrote: On Mon, Nov 16, 2009 at 05:55:51PM -0500, Simo Sorce wrote: This patch implements the use of the fail_over code under the control of the data provider backend code. All providers share the same failover structure and if they use the same service name, they also share the same servers lists. Please add a utility function to split the server list. I can't make a generic function, the ldap backend uses URIs like ldap://foo.bar:123, ldaps://bar.baz While the IPa backend uses a list of fqdns: fo.bar.baz, foo2.bar.baz So each backend has to init on it's own based on the syntax it uses. I just meant splitting at ',' or ' '. This is already two times in the patch and is needed a third time for the krb5 provider. bye, Sumit A set of callbacks is made available so that if a new resolution is performed that changes the server currently in use then all providers can update their status. I have done limited testing with the ipa backend which exercises both the ldap and krb code, although the standalone krb code still doesn't implement using the failover code. Simo. I have tested with with three server and can see that they are tried one after the other, but if the last one is reached and fails it looks like it never tries other servers again. I only get: [sssd[be[NEWIPA]]] [fo_resolve_service_send] (1): No available servers for service 'IPA'. Although I also have seen a longer dealy than I expect this should start working after a few tries, when the failover code decides the blackout for a specific server is over. If that doesn't happen we need a patch for the failover code I think. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] correctly escape RDNs
On Fri, Nov 20, 2009 at 09:07:31AM -0500, Simo Sorce wrote: On Fri, 2009-11-20 at 09:50 +0100, Sumit Bose wrote: On Thu, Nov 19, 2009 at 07:30:32PM -0500, Simo Sorce wrote: See commit comment. -- Simo Sorce * Red Hat, Inc * New York From 49862816e3b7077bc7a002c980901d31aff06269 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Thu, 19 Nov 2009 19:28:36 -0500 Subject: [PATCH] Correctly escape DN value. In building the DN string we weren't correctly escaping the value of the RDN component. This patches fixes that. --- server/db/sysdb_ops.c | 48 ++-- 1 files changed, 42 insertions(+), 6 deletions(-) diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 4a44f28..da53fd3 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -2769,6 +2769,42 @@ int sysdb_store_user_recv(struct tevent_req *req) /* =Store-Group-(Native/Legacy)-(replaces-existing-data)== */ +static char *build_dom_dn_str_escape(TALLOC_CTX *memctx, const char *template, + const char *domain, const char *name) +{ +char *ret; +int l; + +l = strcspn(name, ,=\n+#;\\\); Wouldn't it be better to always call ldb_dn_escape_value() instead of depending on a hardcoded set of characters which might be different in other/coming versions of libldb? Theorethically it would, but members list can be quite long and ldb_dn_escape_value() always allocates memory. The list is unlikely to change though, as it is in an LDAP standard. Simo. ok, ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, Nov 16, 2009 at 09:23:17AM -0500, Simo Sorce wrote: On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote: Hi, this patch should fix #279 by ignoring the shadow attributes by default. I was thinking about this and I think I don't want to go down this way. While automatic discovery of the expiration attributes is nice, I think it is an issue. I would rather see an attribute that overrides find_password_expiration_attributes() instead. This way the admin can force what expiration policy should be used regardless of what random attributes may be found. something like: password_policy_type choice of: none, ldap_pwd_policy, mit_kerberos, shadow, auto so if you don't want anything use password_policy_type = none if you want to use only shadow (even if the server supports ldap_pwd_policies set password_policy_type = shadow I am unsure if we want to add auto, that would be the default and use the find_password_expiration_attributes() to autodetect what to use. Thoughts ? Simo. The attached patch does most of the above. There is no option auto because I think it might be more confusing than without. Also there is not option ldap_pwd_policy, because if there is a server side policy the client cannot ignore it. bye, Sumit From 54edfffe7a41216a2267a57bb68525454dbe85e5 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 16 Nov 2009 13:56:57 +0100 Subject: [PATCH] Add ldap_pwd_policy option --- server/config/SSSDConfig.py |3 + server/config/etc/sssd.api.d/sssd-ldap.conf |1 + server/man/sssd-ldap.5.xml | 33 server/providers/ldap/ldap_auth.c | 114 -- server/providers/ldap/ldap_common.c | 18 - server/providers/ldap/ldap_common.h |4 + server/providers/ldap/sdap.h|1 + 7 files changed, 129 insertions(+), 45 deletions(-) diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py index 57d39c7..1cbf1a8 100644 --- a/server/config/SSSDConfig.py +++ b/server/config/SSSDConfig.py @@ -136,6 +136,9 @@ option_strings = { 'ldap_user_member_of' : _('memberOf attribute'), 'ldap_user_modify_timestamp' : _('Modification time attribute'), +# [provider/ldap/auth] +'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), + # [provider/local/id] 'default_shell' : _('Default shell, /bin/bash'), 'base_directory' : _('Base for home directories'), diff --git a/server/config/etc/sssd.api.d/sssd-ldap.conf b/server/config/etc/sssd.api.d/sssd-ldap.conf index 34aaa65..314f57f 100644 --- a/server/config/etc/sssd.api.d/sssd-ldap.conf +++ b/server/config/etc/sssd.api.d/sssd-ldap.conf @@ -61,6 +61,7 @@ ldap_group_modify_timestamp = str, None ldap_force_upper_case_realm = bool, None [provider/ldap/auth] +ldap_pwd_policy = str, None [provider/ldap/chpass] diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index a2aa730..d944392 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -582,6 +582,39 @@ /listitem /varlistentry +varlistentry +termldap_pwd_policy (string)/term +listitem +para +Select the policy to evaluate the password +expiration on the client side. The following values +are allowed: +/para +para +emphasisnone/emphasis No evaluation on the +client side. This option cannot disable server side +password policies. +/para +para +emphasisshadow/emphasis use +citerefentryrefentrytitleshadow/refentrytitle +manvolnum5/manvolnum/citerefentry style +attributes to evaluate if the password is expired. +Please note that the current version of sssd cannot +update this attribute during a password change. +/para +para +emphasismit_kerberos/emphasis use the attributes +used by MIT Kerberos to evaluate if the password is +expired. Use chpass_provider=krb5 to update these +attributes when the password is changed. +/para +para +Default: none +/para +/listitem +/varlistentry + /variablelist /para /refsect1 diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
Re: [SSSD] [PATCH] Make use of failover code in backends.
On Fri, Nov 20, 2009 at 12:14:22PM -0500, Simo Sorce wrote: On Fri, 2009-11-20 at 10:03 -0500, Simo Sorce wrote: ok, modified patch attached. Rebased on top of current master. Simo. I still find it hard to test, but I think the general logic is right. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix internal consistency check
On Mon, Nov 23, 2009 at 05:21:37PM -0500, Simo Sorce wrote: We used to do this via a preprocessor macro so the build would fail but since we changed the original code to use enums instead this is not possible anymore. Turn it into a runtime check. Simo. Looks good, but I think the error message should clearly say that this is a packaging error and the user cannot do anything to fix this. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Use ldb modules from build root for tests
Hi, when running 'make check' on a system where the ldb memberof plugin is not installed, e.g. every build system where sssd is not installed but just build, the sysdb test fails in the ASQ test. This patch changes the ldb module path if sysdb is compiled for the test. Maybe we want to set the path to something like $(libdir)/ldb for the real case, too? bye, Sumit From 7a31bd2b0cd760b9fffa695c3c09e0069c0c523f Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 24 Nov 2009 15:19:28 +0100 Subject: [PATCH] Use ldb modules from build root for tests --- server/Makefile.am |1 + server/db/sysdb.c |4 2 files changed, 5 insertions(+), 0 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index c52db19..198d5c4 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -412,6 +412,7 @@ sysdb_tests_SOURCES = \ tests/sysdb-tests.c \ $(SSSD_UTIL_OBJ) sysdb_tests_CFLAGS = \ +-DSYSDB_TEST \ $(AM_CFLAGS) \ $(CHECK_CFLAGS) sysdb_tests_LDADD = \ diff --git a/server/db/sysdb.c b/server/db/sysdb.c index b59ffa4..5a274fb 100644 --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -1201,6 +1201,10 @@ static int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx, return EIO; } +#ifdef SYSDB_TEST +ldb_set_modules_dir(ctx-ldb, ./.libs); +#endif + ret = ldb_connect(ctx-ldb, ctx-ldb_file, 0, NULL); if (ret != LDB_SUCCESS) { return EIO; -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Fix an internal error when cache_credentials=FALSE
Hi, when cache_credentials=FALSE Kerberos authentication always failed. This patch should fix it and solve #292. bye, Sumit From 282dc304bda785e860906523fd52c52f587c8074 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 24 Nov 2009 17:27:00 +0100 Subject: [PATCH] Fix an internal error when cache_credentials=FALSE --- server/providers/krb5/krb5_auth.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index a878c8e..16e92b4 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -1255,7 +1255,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) struct pam_data *pd = kr-pd; struct be_req *be_req = kr-req; struct krb5_ctx *krb5_ctx = kr-krb5_ctx; -int pam_status=PAM_SYSTEM_ERR; +int pam_status = PAM_SYSTEM_ERR; int dp_err = DP_ERR_FATAL; int ret; char *password = NULL; @@ -1325,6 +1325,9 @@ static void krb5_save_ccname_done(struct tevent_req *req) return; } +pam_status = PAM_SUCCESS; +dp_err = DP_ERR_OK; + failed: talloc_free(kr); -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix internal consistency check
On Tue, Nov 24, 2009 at 11:23:10AM -0500, Simo Sorce wrote: On Tue, 2009-11-24 at 09:04 +0100, Sumit Bose wrote: On Mon, Nov 23, 2009 at 05:21:37PM -0500, Simo Sorce wrote: We used to do this via a preprocessor macro so the build would fail but since we changed the original code to use enums instead this is not possible anymore. Turn it into a runtime check. Simo. Looks good, but I think the error message should clearly say that this is a packaging error and the user cannot do anything to fix this. Doesn't matter, normal users *must never* see this error. Simo. ah, sorry for the wording I meant admin not user. I think if the person who configured sssd sees Option numbers do not match (X != Y) after startup he or she might think that there are only a certain number of config options allowed and tries to figure out what's wrong with the configuration. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Make ldb lib dir configurable
Hi, this patch makes it possible to configure the place where the ldb modules shall be stored. The command line option has the highest priority, if not given pkg-config is queried. If everything fails we fall back to ${libdir}/ldb. bye, Sumit From f7678da7408c696a09142a407120031105360b7a Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 24 Nov 2009 22:37:10 +0100 Subject: [PATCH] Make ldb lib dir configurable --- server/Makefile.am|2 +- server/external/libldb.m4 | 18 ++ 2 files changed, 19 insertions(+), 1 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index 198d5c4..c029391 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -6,7 +6,7 @@ builddir ?= . sssdlibexecdir = $(libexecdir)/sssd sssdlibdir = $(libdir)/sssd -ldblibdir = $(libdir)/ldb +ldblibdir = @ldblibdir@ if BUILD_KRB5_LOCATOR_PLUGIN krb5plugindir = @krb5pluginpath@ endif diff --git a/server/external/libldb.m4 b/server/external/libldb.m4 index 150c7ee..1e1ae14 100644 --- a/server/external/libldb.m4 +++ b/server/external/libldb.m4 @@ -8,3 +8,21 @@ AC_CHECK_HEADERS(ldb.h ldb_module.h, [AC_CHECK_LIB(ldb, ldb_init, [LDB_LIBS=-lldb], , -ltevent) ], [AC_MSG_ERROR([LDB header files are not installed])] ) + +AC_ARG_WITH([ldb-lib-dir], +[AC_HELP_STRING([--with-ldb-lib-dir=PATH], +[Path to store ldb modules [/usr/lib/ldb]] + ) +] + ) + +if test x$with_ldb_lib_dir != x; then +ldblibdir=$with_ldb_lib_dir +else +ldblibdir=`$PKG_CONFIG --variable=modulesdir ldb` +if test x$ldblibdir == x; then +ldblibdir=${libdir}/ldb +fi +fi +AC_MSG_NOTICE([ldb lib directory: $ldblibdir]) +AC_SUBST(ldblibdir) -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [Patch] Fix for #293
On Wed, Nov 25, 2009 at 09:44:41AM -0500, Simo Sorce wrote: Add upper-casing of domain when assigning realm. -- Simo Sorce * Red Hat, Inc * New York ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix build system issue
On Wed, Nov 25, 2009 at 02:46:02PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fedora 11, a bad pkg-config file prevents building the SSSD with the recent patch to detect the LDB module path. This patch should fix that until Fedora releases a fixed package. https://bugzilla.redhat.com/show_bug.cgi?id=541409 - -- Stephen Gallagher RHCE 804006346421761 ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] ipa_access offline support
Hi, I realized that although all attributes are saved the offline support the for ipa_access module was not present. These two patches should fix it. 0001 adds a general search request for custom attributes 0002 adds sysdb calls to ipa_access if the provider is offline bye, Sumit From c28fed110190b87e1dde56e42f74dfabc7925bc1 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 30 Nov 2009 10:48:02 +0100 Subject: [PATCH 1/2] Add sysdb_search_custom request --- server/db/sysdb.h | 11 +++- server/db/sysdb_ops.c | 97 ++--- server/tests/sysdb-tests.c | 172 3 files changed, 206 insertions(+), 74 deletions(-) diff --git a/server/db/sysdb.h b/server/db/sysdb.h index d9f224c..086c837 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -538,6 +538,14 @@ struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx, struct sysdb_attrs *attrs); int sysdb_store_custom_recv(struct tevent_req *req); +struct tevent_req *sysdb_search_custom_send(TALLOC_CTX *mem_ctx, +struct tevent_context *ev, +struct sysdb_ctx *sysdb, +struct sysdb_handle *handle, +struct sss_domain_info *domain, +const char *filter, +const char *subtree_name, +const char **attrs); struct tevent_req *sysdb_search_custom_by_name_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sysdb_ctx *sysdb, @@ -548,7 +556,8 @@ struct tevent_req *sysdb_search_custom_by_name_send(TALLOC_CTX *mem_ctx, const char **attrs); int sysdb_search_custom_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - struct ldb_message **msg); + size_t *msgs_count, + struct ldb_message ***msg); struct tevent_req *sysdb_delete_custom_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index da53fd3..c237473 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -3395,7 +3395,12 @@ struct tevent_req *sysdb_check_handle_send(TALLOC_CTX *mem_ctx, if (handle != NULL) { state-handle = talloc_memdup(state, handle, sizeof(struct sysdb_handle)); -tevent_req_done(req); +if (state-handle == NULL) { +DEBUG(1, (talloc_memdup failed.\n)); +tevent_req_error(req, ENOMEM); +} else { +tevent_req_done(req); +} tevent_req_post(req, ev); return req; } @@ -3457,6 +3462,7 @@ struct sysdb_search_custom_state { const char **attrs; const char *filter; int scope; +bool expect_not_more_than_one; size_t msgs_count; struct ldb_message **msgs; @@ -3465,6 +3471,70 @@ struct sysdb_search_custom_state { static void sysdb_search_custom_check_handle_done(struct tevent_req *subreq); static void sysdb_search_custom_done(struct tevent_req *subreq); +struct tevent_req *sysdb_search_custom_send(TALLOC_CTX *mem_ctx, +struct tevent_context *ev, +struct sysdb_ctx *sysdb, +struct sysdb_handle *handle, +struct sss_domain_info *domain, +const char *filter, +const char *subtree_name, +const char **attrs) +{ +struct tevent_req *req, *subreq; +struct sysdb_search_custom_state *state; +int ret; + +if (sysdb == NULL handle == NULL) return NULL; + +if (filter == NULL || subtree_name == NULL) return NULL; + +req = tevent_req_create(mem_ctx, state, struct sysdb_search_custom_state); +if (req == NULL) { +DEBUG(1, (tevent_req_create failed.\n)); +return NULL; +} + +state-ev = ev; +state-handle = handle; +state-attrs = attrs; +state-filter = filter; +state-scope = LDB_SCOPE_SUBTREE; +state-expect_not_more_than_one = false; +state-msgs_count = 0; +state-msgs = NULL; + +if (sysdb == NULL) { +sysdb = handle-ctx; +} +state-basedn = sysdb_custom_subtree_dn(sysdb, state, domain-name, +subtree_name); +if (state-basedn == NULL) { +DEBUG(1, (sysdb_custom_subtree_dn failed.\n)); +ret
Re: [SSSD] [PATCH] fix nested groups
On Fri, Nov 27, 2009 at 07:13:55PM -0500, Simo Sorce wrote: When I did the enumgrent optimization patch I totally forgot about nested groups for some reason. Of course I broke them. The gain in performance although was just way too substantial to just revert to the previous way of resolving nested groups again and again at every search. These 2 patches instead store unrolled groups by adding a new operational attribute: memberuid This attribute contains just the user name of any user directly or indirectly (through a nested group) members of a group. This way computation is done once at modify time and never again. Fixes bug #291 Simo. 0001 does not compile: ldb_modules/memberof.c: In function 'memberof_del': ldb_modules/memberof.c:1152: error: 'el' undeclared (first use in this function) ldb_modules/memberof.c:1152: error: (Each undeclared identifier is reported only once ldb_modules/memberof.c:1152: error: for each function it appears in.) Do I miss another patch which fixes this? Why do you save 'only' the name attribute in memberuid and not the DN? It is ok for the nested groups use case, but I think from a general pov it would make sense to store the DN, e.g. if we need to store generic, i.e. non-posix, IPA groups where objects might not have a name attribute. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Do not include libsss_ipa.la in rpm package
On Mon, Nov 30, 2009 at 01:35:32PM +0100, Sumit Bose wrote: Hi, I found this while reading fedora-devel :-) bye, Sumit sorry, I meant this one ... From 9fd84e44607dff34d69b7f57d4f5d34a33af0b30 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 30 Nov 2009 13:32:26 +0100 Subject: [PATCH] Do not include libsss_ipa.la in rpm package --- contrib/sssd.spec.in |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 1251fe5..0b3861b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -110,6 +110,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ +$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Check LDAP structure before calling ldap_unbind_ext()
Hi, sdap_handle_release() runs through the existing operations before unbinding from the LDAP server. But some of the operations might have called sdap_handle_release(), too, and the LDAP structure is not valid anymore. To avoid an error in the LDAP libraries we check the structure before calling ldap_unbind_ext(). bye, Sumit From 66622f8291d1ef1602b5e25fde286968aa28235f Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 2 Dec 2009 21:26:37 +0100 Subject: [PATCH] Check LDAP structure before calling ldap_unbind_ext() --- server/providers/ldap/sdap_async.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index 5a90339..fd9b4ba 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -107,7 +107,9 @@ static void sdap_handle_release(struct sdap_handle *sh) if (op == sh-ops) talloc_free(op); } -ldap_unbind_ext(sh-ldap, NULL, NULL); +if (sh-ldap) { +ldap_unbind_ext(sh-ldap, NULL, NULL); +} sh-connected = false; sh-ldap = NULL; sh-ops = NULL; -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix nested groups
On Fri, Dec 04, 2009 at 10:57:21AM +1000, David O'Brien wrote: Simo Sorce wrote: On Wed, 2009-12-02 at 16:27 -0500, Jenny Galipeau wrote: Hey, can you give me these scenarios? I have automated tests that check that member and memberof attributes are removed when associated groups and or user members are deleted. I would like to expand these tests for regression testing of the problem. Ah yes very easy to test actually. This is the test I used: Create 5 groups A,B,C,D,E Create 5 users a,b,c,d,e Add each user to the corresponding group then add each group to another, this is the tree I end up with: BEWARE!! ASCII art follows :) A--a | \--B--b | \--C--c | \--D--d | \--E--e Therefore the memberof attrs for each user are: a - A b - A,B c - A,B,C d - A,B,C,D e - A,b,C,D,E now delete group C the results must be: a - A b - A,B c - none d - D e - D,E If they are different there is a bug. Simo. How can I determine which groups are members of which other groups? I created GroupA and GroupB, making B a member of A I created UserA and UserB, making them members of obvious groups. # getent -s sss group GroupA:*:511:UserA,UserB GroupB:*:512:UserB That's fine, but how do I know that UserB is a member of GroupA only because of group nesting? thanks You have no chance to see this at the level of getent. If you are using IPA or AD as your backends, you can use the tools of the server to figure out which group is a member of which other group. For sssd's LOCAL provider we should provide a tool like sss_groupinfo which can display group membership of groups. Any opinions ? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add checks to test the memberuid handling
On Mon, Dec 07, 2009 at 09:19:32AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2009 08:27 AM, Simo Sorce wrote: On Thu, 2009-12-03 at 11:41 +0100, Sumit Bose wrote: Hi, this patch adds some tests to check the memberuid generation of the memberof ldb plugin. The first series of test creates a hierarchy of 10 nested groups, adds a user to each group and then removes a group in the middle of the hierarchy. The second series works similar but puts the the first group in the last one and creates a loop of nested groups. ACK Simo. Revoking this ack. Due to changes made to the members in Simo's Correctly resolve nested groups patch, this patch no longer compiles. (changes were made to the sysdb_store_group_send() function signature) Please rebase this patch atop those. new version attached. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksdDvMACgkQeiVVYja6o6OaswCfXC2P6UY+S2BnSfZeR6Jtsgg2 HqAAn1skEf88rWoIBt1XYB7dS+k8UZ44 =84mi -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 140b6bc4e4a3eb25dadd82668326f25fe9a13886 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 1 Dec 2009 16:24:36 +0100 Subject: [PATCH] Add checks to test the memberuid handling --- server/tests/sysdb-tests.c | 508 ++-- 1 files changed, 495 insertions(+), 13 deletions(-) diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index 84cf810..70972ca 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -43,6 +43,9 @@ #define ASQ_TEST_USER testuser27010 #define ASQ_TEST_USER_UID 27010 +#define MBO_USER_BASE 27500 +#define MBO_GROUP_BASE 28500 + struct sysdb_test_ctx { struct sysdb_ctx *sysdb; struct confdb_ctx *confdb; @@ -879,7 +882,7 @@ static void test_store_custom_done(struct tevent_req *subreq) return test_return(data, ret); } -static void test_search_custom_done(struct tevent_req *req) +static void test_search_done(struct tevent_req *req) { struct test_data *data = tevent_req_callback_data(req, struct test_data); @@ -922,14 +925,6 @@ static void test_delete_custom_done(struct tevent_req *subreq) return test_return(data, ret); } -static void test_asq_search_done(struct tevent_req *req) -{ -struct test_data *data = tevent_req_callback_data(req, struct test_data); - -data-finished = true; -return; -} - static void test_search_all_users_done(struct tevent_req *subreq); static void test_search_all_users(struct tevent_req *subreq) { @@ -1011,6 +1006,57 @@ static void test_delete_recursive_done(struct tevent_req *subreq) return test_return(data, ret); } +static void test_memberof_store_group_done(struct tevent_req *subreq); +static void test_memberof_store_group(struct tevent_req *req) +{ +struct test_data *data = tevent_req_callback_data(req, struct test_data); +struct tevent_req *subreq; +int ret; +struct sysdb_attrs *attrs = NULL; +char *member; +int i; + +ret = sysdb_transaction_recv(req, data, data-handle); +if (ret != EOK) { +return test_return(data, ret); +} + +attrs = sysdb_new_attrs(data); +if (!attrs) { +return test_return(data, ENOMEM); +} +for (i = 0; data-attrlist data-attrlist[i]; i++) { +member = sysdb_group_strdn(data, data-ctx-domain-name, + data-attrlist[i]); +if (!member) { +return test_return(data, ENOMEM); +} +ret = sysdb_attrs_steal_string(attrs, SYSDB_MEMBER, member); +if (ret != EOK) { +return test_return(data, ret); +} +} + +subreq = sysdb_store_group_send(data, data-ev, data-handle, +data-ctx-domain, data-groupname, +data-gid, attrs, -1); +if (!subreq) { +test_return(data, ret); +} +tevent_req_set_callback(subreq, test_memberof_store_group_done, data); +} + +static void test_memberof_store_group_done(struct tevent_req *subreq) +{ +struct test_data *data = tevent_req_callback_data(subreq, struct test_data); +int ret; + +ret = sysdb_store_group_recv(subreq); +talloc_zfree(subreq); + +return test_return(data, ret); +} + START_TEST (test_sysdb_store_user) { struct sysdb_test_ctx *test_ctx; @@ -1935,7 +1981,7 @@ START_TEST (test_sysdb_search_custom_by_name) } if (ret == EOK) { -tevent_req_set_callback(subreq
[SSSD] [PATCH] Add dummy credentials to an empty ccache file
Hi, this patch is the first step to solve #304. It adds some more information into an empty ticket. I think this is as much we can do to make krb5-auth-dialog happy, because krb5-auth-dialog overwrites the client principal found in the ccache with its own data in ka_parse_name(). This data is either just the user name, and the realm is added by the kerberos libraries is default_realm from krb5.conf, or if set the principal set with krb5-auth-dialog-preferences is taken. For a quick fix there are two possibilites - set the default_realm in krb5.conf or - set the principal with krb5-auth-dialog-preferences Additionally I'll try to contact the authors of krb5-auth-dialog to see if they agree to try with the principal found in the ccache file if the principal is not explictly and use the user name as a fallback. bye, Sumit From d8cd00633bbf81a2726dc4f87cb72dd6aa6a9bf3 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 7 Dec 2009 15:07:26 +0100 Subject: [PATCH] Add dummy credentials to an empty ccache file Application like krb5-auth-dialog might get confused if there is a credential cache file without any credentials in it. This patch adds an expired credential where only the client and the server principal are set. The client principal is the user's principal and the server principal corresponds to a TGT principal of the realm the user belongs to. --- server/providers/krb5/krb5_child.c | 56 ++- 1 files changed, 54 insertions(+), 2 deletions(-) diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index c0e9fbf..2f48574 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -98,6 +98,49 @@ static const char *__krb5_error_msg; sss_krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \ } while(0); +static krb5_error_code create_empty_cred(struct krb5_req *kr, krb5_creds **_cred) +{ +krb5_error_code kerr; +krb5_creds *cred = NULL; +krb5_data *krb5_realm; + +cred = calloc(sizeof(krb5_creds), 1); +if (cred == NULL) { +DEBUG(1, (calloc failed.\n)); +return ENOMEM; +} + +kerr = krb5_copy_principal(kr-ctx, kr-princ, cred-client); +if (kerr != 0) { +DEBUG(1, (krb5_copy_principal failed.\n)); +goto done; +} + +krb5_realm = krb5_princ_realm(kr-ctx, kr-princ); + +kerr = krb5_build_principal_ext(kr-ctx, cred-server, +krb5_realm-length, krb5_realm-data, +KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, +krb5_realm-length, krb5_realm-data, 0); +if (kerr != 0) { +DEBUG(1, (krb5_build_principal_ext failed.\n)); +goto done; +} + +done: +if (kerr != 0) { +if (cred != NULL cred-client != NULL) { +krb5_free_principal(kr-ctx, cred-client); +} + +free(cred); +} else { +*_cred = cred; +} + +return kerr; +} + static krb5_error_code create_ccache_file(struct krb5_req *kr, krb5_creds *creds) { krb5_error_code kerr; @@ -107,6 +150,7 @@ static krb5_error_code create_ccache_file(struct krb5_req *kr, krb5_creds *creds size_t ccname_len; char *dummy; char *tmp_ccname; +krb5_creds *l_cred; if (strncmp(kr-ccname, FILE:, 5) == 0) { cc_file_name = kr-ccname + 5; @@ -149,12 +193,20 @@ static krb5_error_code create_ccache_file(struct krb5_req *kr, krb5_creds *creds fd = -1; } -if (creds != NULL) { -kerr = krb5_cc_store_cred(kr-ctx, tmp_cc, creds); +if (creds == NULL) { +kerr = create_empty_cred(kr, l_cred); if (kerr != 0) { KRB5_DEBUG(1, kerr); goto done; } +} else { +l_cred = creds; +} + +kerr = krb5_cc_store_cred(kr-ctx, tmp_cc, l_cred); +if (kerr != 0) { +KRB5_DEBUG(1, kerr); +goto done; } kerr = krb5_cc_close(kr-ctx, tmp_cc); -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] dhash: change API to be more talloc friendly
On Tue, Dec 08, 2009 at 11:08:07AM -0500, Simo Sorce wrote: Minor changes so we can pass down a memory context when using talloc. Simo. applies, compiles and all test succeeded ACK bye, Sumit -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Reduce code duplication between the LDAP child and the Kerberos child
On Tue, Dec 08, 2009 at 08:52:57PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fixes: #294 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkserpAACgkQHsardTLnvCXA+ACgmb2QDZ7B6etM17qNJLDoOE8i dJ8AoOAxCLAtgbiu10ubhLKkIhNKlly+ =Cgj2 -END PGP SIGNATURE- works fine for me, ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add German translation
On Wed, Dec 09, 2009 at 07:11:52AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 See $SUBJECT - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksflAgACgkQeiVVYja6o6P0OQCeLdCXweBKJL1l89cfKGQHgYp+ PMMAnjADcFsETHoq8utqnQ7jq/4NS013 =f7UK -END PGP SIGNATURE- I have added some missing trailing spaces and (hopefully) fixed the non-acsii utf-8 characters. bye, Sumit From cbd07f7e55d83e30e6f423109548f58dc1eeb896 Mon Sep 17 00:00:00 2001 From: Fabian Affolter f...@fedoraproject.org Date: Wed, 9 Dec 2009 07:08:38 -0500 Subject: [PATCH] Add German translation --- server/po/LINGUAS |1 + server/po/de.po | 655 + sss_client/po/LINGUAS |1 + sss_client/po/de.po | 39 +++ 4 files changed, 696 insertions(+), 0 deletions(-) create mode 100644 server/po/de.po create mode 100644 sss_client/po/de.po diff --git a/server/po/LINGUAS b/server/po/LINGUAS index 1c2f058..f1fcda0 100644 --- a/server/po/LINGUAS +++ b/server/po/LINGUAS @@ -3,4 +3,5 @@ pl ja nl pt +de diff --git a/server/po/de.po b/server/po/de.po new file mode 100644 index 000..bce49b8 --- /dev/null +++ b/server/po/de.po @@ -0,0 +1,655 @@ +# German translation of sssd. +# Copyright (C) 2009 Red Hat, Inc. +# This file is distributed under the same license as the sssd package. +# +# Fabian Affolter f...@fedoraproject.org, YEAR. +# +msgid +msgstr +Project-Id-Version: SSS\n +Report-Msgid-Bugs-To: sssd-de...@lists.fedorahosted.org\n +POT-Creation-Date: 2009-11-23 12:37-0500\n +PO-Revision-Date: 2009-12-09 11:13+0100\n +Last-Translator: Fabian Affolter f...@fedoraproject.org\n +Language-Team: German fedora-trans...@redhat.com\n +MIME-Version: 1.0\n +Content-Type: text/plain; charset=utf-8\n +Content-Transfer-Encoding: 8bit\n +X-Poedit-Language: German\n + +#: config/SSSDConfig.py:39 +msgid Set the verbosity of the debug logging +msgstr + +#: config/SSSDConfig.py:40 +msgid Include timestamps in debug logs +msgstr + +#: config/SSSDConfig.py:41 +msgid Write debug messages to logfiles +msgstr + +#: config/SSSDConfig.py:42 +msgid Ping timeout before restarting service +msgstr + +#: config/SSSDConfig.py:43 +msgid Command to start service +msgstr + +#: config/SSSDConfig.py:44 +msgid Number of times to attempt connection to Data Providers +msgstr + +#: config/SSSDConfig.py:47 +msgid SSSD Services to start +msgstr + +#: config/SSSDConfig.py:48 +msgid SSSD Domains to start +msgstr + +#: config/SSSDConfig.py:49 +msgid Timeout for messages sent over the SBUS +msgstr + +#: config/SSSDConfig.py:50 +msgid Regex to parse username and domain +msgstr + +#: config/SSSDConfig.py:51 +msgid Printf-compatible format for displaying fully-qualified names +msgstr + +#: config/SSSDConfig.py:54 +msgid Enumeration cache timeout length (seconds) +msgstr + +#: config/SSSDConfig.py:55 +msgid Entry cache background update timeout length (seconds) +msgstr + +#: config/SSSDConfig.py:56 +msgid Negative cache timeout length (seconds) +msgstr + +#: config/SSSDConfig.py:57 +msgid Users that SSSD should explicitly ignore +msgstr + +#: config/SSSDConfig.py:58 +msgid Groups that SSSD should explicitly ignore +msgstr + +#: config/SSSDConfig.py:59 +msgid Should filtered users appear in groups +msgstr + +#: config/SSSDConfig.py:60 +msgid The value of the password field the NSS provider should return +msgstr + +#: config/SSSDConfig.py:63 +msgid How long to allow cached logins between online logins (days) +msgstr + +#: config/SSSDConfig.py:66 +msgid Identity provider +msgstr + +#: config/SSSDConfig.py:67 +msgid Authentication provider +msgstr + +#: config/SSSDConfig.py:68 +msgid Access control provider +msgstr + +#: config/SSSDConfig.py:69 +msgid Password change provider +msgstr + +#: config/SSSDConfig.py:72 +msgid Minimum user ID +msgstr + +#: config/SSSDConfig.py:73 +msgid Maximum user ID +msgstr + +#: config/SSSDConfig.py:74 +msgid Ping timeout before restarting domain +msgstr + +#: config/SSSDConfig.py:75 +msgid Enable enumerating all users/groups +msgstr + +#: config/SSSDConfig.py:76 +msgid Cache credentials for offline login +msgstr + +#: config/SSSDConfig.py:77 +msgid Store password hashes +msgstr + +#: config/SSSDConfig.py:78 +msgid Display users/groups in fully-qualified form +msgstr + +#: config/SSSDConfig.py:79 +msgid Entry cache timeout length (seconds) +msgstr + +#: config/SSSDConfig.py:82 +msgid IPA domain +msgstr IPA-Domain + +#: config/SSSDConfig.py:83 +msgid IPA server address +msgstr IPA-Serveradresse + +#: config/SSSDConfig.py:84 +msgid IPA client hostname +msgstr IPA-Client-Rechnername + +#: config/SSSDConfig.py:87 +#: config/SSSDConfig.py:114 +msgid Kerberos server
Re: [SSSD] sssd.spec for SLES
On Wed, Dec 09, 2009 at 02:21:05PM +0300, Sergei V. Kovylov wrote: Here you may find a patch for sssd.spec file which provide correct build sssd for SLES (testes on SLES10SP1). In brief: There are 3 essences: redhat fedora sles which are detected by /etc/vendor release file existence (ex. /etc/SuSE-release) in spec and all necessary actions are doing along the OS detection. Additionally for SLES there is --without-selinux flag while configuring, as SLES doesn't support SELinux. Thank you for the patch. Can you please provide the spec file for the SLES build as a separate file in sssd/contrib/suse/sssd.spec.in ? See https://fedorahosted.org/pipermail/sssd-devel/2009-December/001786.html for the reasoning. I would also recommend not to use the /etc/*-release files to check for the distribution, but rely on the variables defined by rpm. I have made the experience that, e.g. the openSUSE build system does not always install /etc/SuSE-release for SUSE builds. But there is a nice overview of the variables defined by various distributions in http://en.opensuse.org/Build_Service/cross_distribution_package_how_to bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] sssd.spec for SLES
On Thu, Dec 10, 2009 at 01:26:11PM +0300, Sergei V. Kovylov wrote: Hi all. Here is a patch to create sssd/contrib/suse/sssd.spec.in for SLES build. It's been tested under SLES10SP1 and SLES10SP2. The only problem is to make main ./configure process use --with-os for correct detection of spec . Thanks, I just have one minor request, can you change the BuildRequires c-ares-devel to libcares-devel. c-ares is not available on SLES10 so I assume you have build it yourself and called it the same as on Fedora. But newer SUSE versions provide c-ares as libcares2 and libcares-devel. (Btw. if you are interested in SUSE builds of sssd you might want to have a look at http://download.opensuse.org/repositories/home:/sbose:/sssd/) It would be convenient for us, if you can provide your patch as a git patch, but if it's easier for you to send standard patches I will create the git patch and add you as the author. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] sssd.spec for SLES
On Thu, Dec 10, 2009 at 11:04:17PM +0300, Sergei V. Kovylov wrote: Hi Sumit. Thanks for this repo, i'll change all BuildRequires within names of libraries from the repo. sorry, the patch is missing Yes, I've made special builds from Fedora srpms (as I work under it) because it was the fastest way for me. 2009/12/10 Sumit Bose sb...@redhat.com: On Thu, Dec 10, 2009 at 01:26:11PM +0300, Sergei V. Kovylov wrote: Hi all. Here is a patch to create sssd/contrib/suse/sssd.spec.in for SLES build. It's been tested under SLES10SP1 and SLES10SP2. The only problem is to make main ./configure process use --with-os for correct detection of spec . Thanks, I just have one minor request, can you change the BuildRequires c-ares-devel to libcares-devel. c-ares is not available on SLES10 so I assume you have build it yourself and called it the same as on Fedora. But newer SUSE versions provide c-ares as libcares2 and libcares-devel. (Btw. if you are interested in SUSE builds of sssd you might want to have a look at http://download.opensuse.org/repositories/home:/sbose:/sssd/) It would be convenient for us, if you can provide your patch as a git patch, but if it's easier for you to send standard patches I will create the git patch and add you as the author. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Always update sysdb to the latest version
On Thu, Dec 10, 2009 at 03:33:28PM -0500, Simo Sorce wrote: On Wed, 2009-12-09 at 15:13 -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2009 02:26 PM, Stephen Gallagher wrote: On 12/09/2009 12:21 PM, Sumit Bose wrote: Hi, this is a quick fix for #285 by calling sysdb_upgrade_03() after sysdb_upgrade_02() is done. I'm thinking of refactoring all the upgrade calls into one function which can be called multiple time from different places of the code, but for the time being I think the patch is sufficient. bye, Sumit Nack. The DEBUG statement for the upgrade to version 3 should use %s (like the change you made to the other one). Also, please s/form/from/ in both messages. Attached patch fixes the above concerns. Ack Also see attached followup patch to further upgrade to 05 Simo. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix upgrade from very old DBs
On Thu, Dec 10, 2009 at 04:47:47PM -0500, Simo Sorce wrote: See also bug #322 Simo. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Minor fixes
Hi, 0001: I got an error with older python version when just calling exit(). 'TypeError: 'str' object is not callable' 0002: make check failed when using the tar ball, because elapi_ut.conf was missing 0003: Older versions of check do not have test loops. bye, Sumit From 131b0e03f4e181145cca2d0347a736edff2fdb6d Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 11 Dec 2009 15:37:00 +0100 Subject: [PATCH 1/3] Use sys.exit instead of exit --- server/config/SSSDConfigTest.py |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/server/config/SSSDConfigTest.py b/server/config/SSSDConfigTest.py index 9b7599c..f893d98 100755 --- a/server/config/SSSDConfigTest.py +++ b/server/config/SSSDConfigTest.py @@ -1359,6 +1359,7 @@ if __name__ == __main__: error = 0 import os +import sys srcdir = os.getenv('srcdir') if srcdir: srcdir = srcdir + /config @@ -1390,4 +1391,4 @@ if __name__ == __main__: if not res.wasSuccessful(): error |= 0x10 -exit(error) +sys.exit(error) -- 1.6.5.2 From ad86ac3efa7b86dd86064168a71c1b105ce4e254 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 11 Dec 2009 16:12:20 +0100 Subject: [PATCH 2/3] Add elapi_ut.conf to the list of dist files Some newlines are added, too. --- common/elapi/elapi_test/Makefile.am |3 ++- common/elapi/elapi_test/elapi_ut.c |4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/common/elapi/elapi_test/Makefile.am b/common/elapi/elapi_test/Makefile.am index d9f1bb0..8a24b9f 100644 --- a/common/elapi/elapi_test/Makefile.am +++ b/common/elapi/elapi_test/Makefile.am @@ -18,7 +18,8 @@ AM_CPPFLAGS = -I$(topdir) -I$(topdir)/ini -I$(topdir)/trace -I$(topdir)/collecti ACLOCAL_AMFLAGS = -I m4 -dist_noinst_DATA = m4 +dist_noinst_DATA = m4 \ +elapi_ut.conf # Build library noinst_LTLIBRARIES = libelapi_test.la diff --git a/common/elapi/elapi_test/elapi_ut.c b/common/elapi/elapi_test/elapi_ut.c index ba493bb..49fe1a2 100644 --- a/common/elapi/elapi_test/elapi_ut.c +++ b/common/elapi/elapi_test/elapi_ut.c @@ -40,7 +40,7 @@ int elapi_init_test(void) error = elapi_init(APPNAME, ./ELAPI_CONFIG_FILE); if (error) { -printf(elapi_init failed: %d, error); +printf(elapi_init failed: %d\n, error); return error; } @@ -59,7 +59,7 @@ int elapi_get_default_tplt_test(void) error = elapi_get_default_tplt(tpl); if (error) { -printf(elapi_get_default_tplt failed: %d, error); +printf(elapi_get_default_tplt failed: %d\n, error); return error; } -- 1.6.5.2 From 48855a0f7ea6cf74eacfd210cefe7fdc6421c12a Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 11 Dec 2009 16:15:41 +0100 Subject: [PATCH 3/3] Check for minimal version of check Test loops and _i are only available since 0.9.5. --- server/configure.ac |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/server/configure.ac b/server/configure.ac index e471c84..2c78846 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -113,7 +113,7 @@ AC_CHECK_HEADERS([sys/inotify.h]) AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) -PKG_CHECK_MODULES([CHECK], [check], [have_check=1], [have_check=]) +PKG_CHECK_MODULES([CHECK], [check = 0.9.5], [have_check=1], [have_check=]) if test x$have_check = x; then AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) fi -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] two fixes for make distcheck
Hi, these two patches fixes two issues during make distcheck. bye, Sumit From c699a68adf5ef1c13e2152cdf6a9504883c349dd Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 14 Dec 2009 13:50:39 +0100 Subject: [PATCH 1/2] Build python modules in builddir --- server/Makefile.am |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index 0cd320d..cc24ca2 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -809,9 +809,9 @@ installsssddirs:: install-exec-hook: installsssddirs if [ $(DESTDIR) = ]; then \ - cd $(srcdir)/config; $(PYTHON) setup.py install --prefix=$(PYTHON_PREFIX); \ + cd $(srcdir)/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/config install --prefix=$(PYTHON_PREFIX); \ else \ - cd $(srcdir)/config; $(PYTHON) setup.py install --prefix=$(PYTHON_PREFIX) --root=$(DESTDIR); \ + cd $(srcdir)/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/config install --prefix=$(PYTHON_PREFIX) --root=$(DESTDIR); \ fi clean-local: -- 1.6.5.2 From f775bc33d2cf8d86fac8a7ae31941a56ec7f9111 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 14 Dec 2009 13:52:06 +0100 Subject: [PATCH 2/2] Use --with-ldb-lib-dir while running make distcheck --- Makefile.am |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/Makefile.am b/Makefile.am index 84040ee..dd70034 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,7 @@ SUBDIRS = replace common server sss_client +DISTCHECK_CONFIGURE_FLAGS = --with-ldb-lib-dir=$$dc_install_base/lib/ldb + RPMBUILD ?= $(PWD)/rpmbuild #Some old versions of automake don't define builddir -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] sssd.spec for SLES
On Fri, Dec 11, 2009 at 02:58:36PM +0300, Sergei V. Kovylov wrote: Oh sorry - my mistake. Unfourtunately, I'm not able to do a patch in git format , as I've never work with git. ok, I have 'converted' it to git patch and I was able to build SLES10 rpms with this patch, so ACK. Also maybe a good idea is to create page in wiki How to contribute patches and describe some basic steps. 2009/12/10 Sumit Bose sb...@redhat.com: On Thu, Dec 10, 2009 at 11:04:17PM +0300, Sergei V. Kovylov wrote: Hi Sumit. Thanks for this repo, i'll change all BuildRequires within names of libraries from the repo. sorry, the patch is missing Yes, I've made special builds from Fedora srpms (as I work under it) because it was the fastest way for me. 2009/12/10 Sumit Bose sb...@redhat.com: On Thu, Dec 10, 2009 at 01:26:11PM +0300, Sergei V. Kovylov wrote: Hi all. Here is a patch to create sssd/contrib/suse/sssd.spec.in for SLES build. It's been tested under SLES10SP1 and SLES10SP2. The only problem is to make main ./configure process use --with-os for correct detection of spec . Yes, I'll try to find out how to tell the autotools to do this. bye, Sumit Thanks, I just have one minor request, can you change the BuildRequires c-ares-devel to libcares-devel. c-ares is not available on SLES10 so I assume you have build it yourself and called it the same as on Fedora. But newer SUSE versions provide c-ares as libcares2 and libcares-devel. (Btw. if you are interested in SUSE builds of sssd you might want to have a look at http://download.opensuse.org/repositories/home:/sbose:/sssd/) It would be convenient for us, if you can provide your patch as a git patch, but if it's easier for you to send standard patches I will create the git patch and add you as the author. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel diff -uNr sssd/contrib/suse/sssd.spec.in sssd.b/contrib/suse/sssd.spec.in --- sssd/contrib/suse/sssd.spec.in 1970-01-01 00:00:00.0 + +++ sssd.b/contrib/suse/sssd.spec.in2009-12-11 11:26:30.207320763 + @@ -0,0 +1,238 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib(1)))} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib()))} + +Name: @PACKAGE_NAME@ +Version: @PACKAGE_VERSION@ +Release: 0...@prerelease_version@%{?dist} +Group: Applications/System +Summary: System Security Services Daemon +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ +URL: http://www.freeipa.org/ +Source0: %{name}-%{version}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XX) + +### Patches ### + +### Dependencies ### + +Requires: libldb0 = 0.9.3 +Requires: libtdb1 = 1.1.3 +Requires: sssd-client = %{version}-%{release} +Requires: cyrus-sasl-gssapi +Requires(post): python +Requires(preun): aaa_base procps filesystem +Requires(postun): /sbin/service + +%define servicename sssd +%define sssdstatedir %{_localstatedir}/lib/sss +%define dbpath %{sssdstatedir}/db +%define pipepath %{sssdstatedir}/pipes +%define pubconfpath %{sssdstatedir}/pubconf + +### Build Dependencies ### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent0-devel +BuildRequires: libtdb1-devel +BuildRequires: libldb0-devel +BuildRequires: libcares-devel +BuildRequires: dbus-1-devel +BuildRequires: dbus-1 +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: python-devel + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +%package client +Summary: SSSD Client libraries for NSS and PAM +Group: Applications/System + +%description
Re: [SSSD] [PATCH] fix for #323
On Mon, Dec 14, 2009 at 04:03:27PM -0500, Simo Sorce wrote: Now the upgrade process can cope with converting ols ssd.ldb files into multiple databases even if the new config file does not include a local provider anymore. Tested with a v1 db file and seem to work fine with and w/o a LOCAL provider defined in the configuration. I can confirm that it works with a v1 db file with and without LOCAL, I haven't tested with other version, but by inscpeting the code I'm confident that it will work, too. ACK bye, Sumit Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Cleanup db files after test run
Ok this new version deletes the files only if there were no errors and adds a missing dependency when sysdb-tests is build individually in a clean tree. bye, Sumit On Tue, Dec 15, 2009 at 06:41:48AM -0500, Stephen Gallagher wrote: Nack. Please make this conditional on success of all tests. If any tests fail, it can be useful to examine the contents of the DB files. On Dec 15, 2009, at 6:38 AM, Sumit Bose sb...@redhat.com wrote: Hi, with this patch the two ldb files created by the sysdb test are deleted at the end of the test run. With this and the other two distcheck patches applied 'make distcheck' should run flawlessly (again?). bye, Sumit 0001-Cleanup-db-files-after-test-run.patch ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From d669f4435d14cceaaba1616e12b96daf63b3c289 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 15 Dec 2009 10:37:27 +0100 Subject: [PATCH] Cleanup db files after test run --- server/Makefile.am |2 ++ server/tests/sysdb-tests.c | 21 +++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index 95d78ef..a7fd8c4 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -417,6 +417,8 @@ sss_groupmod_LDADD = \ # Feature Tests # # if HAVE_CHECK +sysdb_tests_DEPENDENCIES = \ +$(ldblib_LTLIBRARIES) sysdb_tests_SOURCES = \ tests/sysdb-tests.c \ $(SSSD_UTIL_OBJ) diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index 70972ca..ace0343 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -31,6 +31,7 @@ #include db/sysdb_private.h #define TESTS_PATH tests_sysdb +#define TEST_CONF_FILE tests_conf.ldb #define TEST_ATTR_NAME test_attr_name #define TEST_ATTR_VALUE test_attr_value @@ -86,7 +87,7 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx) return EIO; } -conf_db = talloc_asprintf(test_ctx, %s/tests_conf.ldb, TESTS_PATH); +conf_db = talloc_asprintf(test_ctx, %s/%s, TESTS_PATH, TEST_CONF_FILE); if (conf_db == NULL) { fail(Out of memory, aborting!); talloc_free(test_ctx); @@ -3066,5 +3067,21 @@ int main(int argc, const char *argv[]) { srunner_run_all(sr, CK_ENV); failure_count = srunner_ntests_failed(sr); srunner_free(sr); -return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +if (failure_count == 0) { +ret = unlink(TESTS_PATH/TEST_CONF_FILE); +if (ret != EOK) { +fprintf(stderr, Could not delete the test config ldb file (%d) (%s)\n, +errno, strerror(errno)); +return EXIT_FAILURE; +} +ret = unlink(TESTS_PATH/LOCAL_SYSDB_FILE); +if (ret != EOK) { +fprintf(stderr, Could not delete the test config ldb file (%d) (%s)\n, +errno, strerror(errno)); +return EXIT_FAILURE; +} + +return EXIT_SUCCESS; +} +return EXIT_FAILURE; } -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately
Hi, this patch should fix #326 Missing checks in PAM_PRELIM_CHECK Currently we collect old and new password in pam_sss and send them together to the sssd to change to password. But it is expected that during the first call to pam_sm_chauthtok, when PAM_PRELIM_CHECK is set, the old password is validated to give a feedback to the user before the new password is requested. Please check and test carefully. bye, Sumit From 2f35ff3aa9d9be628d9e70a02faacc4e59a2b874 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 16 Dec 2009 12:53:55 +0100 Subject: [PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request. --- server/providers/data_provider_be.c |1 + server/providers/krb5/krb5_auth.c | 15 +-- server/providers/krb5/krb5_child.c | 34 +++--- server/providers/ldap/ldap_auth.c | 26 +++--- server/providers/proxy.c|9 - server/responder/pam/pamsrv_cmd.c |6 ++ sss_client/pam_sss.c|2 +- sss_client/sss_cli.h|2 +- 8 files changed, 72 insertions(+), 23 deletions(-) diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index 02d5a0d..05f3eaf 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -565,6 +565,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) target = BET_ACCESS; break; case SSS_PAM_CHAUTHTOK: +case SSS_PAM_CHAUTHTOK_PRELIM: target = BET_CHPASS; break; default: diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 4581278..10e6797 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -398,9 +398,11 @@ static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req) struct krb5_ctx); break; case SSS_PAM_CHAUTHTOK: +case SSS_PAM_CHAUTHTOK_PRELIM: return talloc_get_type(be_req-be_ctx-bet_info[BET_CHPASS].pvt_bet_data, struct krb5_ctx); break; +break; default: DEBUG(1, (Unsupported PAM task.\n)); return NULL; @@ -685,14 +687,16 @@ void krb5_pam_handler(struct be_req *be_req) pd = talloc_get_type(be_req-req_data, struct pam_data); -if (pd-cmd != SSS_PAM_AUTHENTICATE pd-cmd != SSS_PAM_CHAUTHTOK) { +if (pd-cmd != SSS_PAM_AUTHENTICATE pd-cmd != SSS_PAM_CHAUTHTOK +pd-cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(4, (krb5 does not handles pam task %d.\n, pd-cmd)); pam_status = PAM_SUCCESS; dp_err = DP_ERR_OK; goto done; } -if (be_is_offline(be_req-be_ctx) pd-cmd == SSS_PAM_CHAUTHTOK) { +if (be_is_offline(be_req-be_ctx) +(pd-cmd == SSS_PAM_CHAUTHTOK || pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { DEBUG(9, (Password changes are not possible while offline.\n)); pam_status = PAM_AUTHINFO_UNAVAIL; dp_err = DP_ERR_OFFLINE; @@ -958,6 +962,12 @@ static void krb5_child_done(struct tevent_req *req) pd-pam_status = *msg_status; } +if (*msg_status == PAM_SUCCESS pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM) { +pam_status = PAM_SUCCESS; +dp_err = DP_ERR_OK; +goto done; +} + pref_len = strlen(CCACHE_ENV_NAME)+1; if (*msg_len pref_len strncmp((const char *) buf[p], CCACHE_ENV_NAME=, pref_len) == 0) { @@ -1047,6 +1057,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) switch(pd-cmd) { case SSS_PAM_AUTHENTICATE: +case SSS_PAM_CHAUTHTOK_PRELIM: password = talloc_size(be_req, pd-authtok_size + 1); if (password != NULL) { memcpy(password, pd-authtok, pd-authtok_size); diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 2f48574..eb82f6f 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -299,19 +299,24 @@ static struct response *prepare_response_message(struct krb5_req *kr, } if (kerr == 0) { -if (kr-ccname == NULL) { -DEBUG(1, (Error obtaining ccname.\n)); -return NULL; -} +if(kr-pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM) { +ret = pack_response_packet(resp, PAM_SUCCESS, PAM_USER_INFO, + success); +} else { +if (kr-ccname == NULL) { +DEBUG(1, (Error obtaining ccname.\n)); +return NULL; +} -msg = talloc_asprintf
Re: [SSSD] [PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately
On Wed, Dec 16, 2009 at 01:04:01PM +0100, Sumit Bose wrote: Hi, this patch should fix #326 Missing checks in PAM_PRELIM_CHECK Currently we collect old and new password in pam_sss and send them together to the sssd to change to password. But it is expected that during the first call to pam_sm_chauthtok, when PAM_PRELIM_CHECK is set, the old password is validated to give a feedback to the user before the new password is requested. Please check and test carefully. bye, Sumit aaahh, sorry, I found a flaw in the changes for the Kerberos provider. Please wait for a new version ... bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Raise DEBUG log level for sdap_generic_get_done
On Wed, Dec 16, 2009 at 08:47:21AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Level 3 is too low for the output of sdap_generic_get_done(), especially since the message stating what was being gotten is at level 6. (So this message has no context). When enumeration is enabled or initgroups has to deal with many users, this adds a lot of noise to the logs. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEUEARECAAYFAkso5NgACgkQeiVVYja6o6MO1QCUDaUstAtR1hdz10almX8c2rJt HQCfXBXMhayN5zYZwEN1x+qmUsr0I8M= =fVnt -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] disable password migration code
Hi, this patch disables the IPA password migration code. Some issues where identified which needs some deeper disscusion about some internal interfaces. bye, Sumit From 45c3164f3e99b27f3582cf05ce00a9a3565d8cc8 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 17 Dec 2009 19:53:57 +0100 Subject: [PATCH] disable password migration code --- server/providers/ipa/ipa_auth.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/server/providers/ipa/ipa_auth.c b/server/providers/ipa/ipa_auth.c index 9f9a48e..86b72e4 100644 --- a/server/providers/ipa/ipa_auth.c +++ b/server/providers/ipa/ipa_auth.c @@ -179,8 +179,8 @@ void ipa_auth(struct be_req *be_req) be_req-be_ctx-bet_info[BET_AUTH].pvt_bet_data, struct krb5_ctx); -/* TODO: make password_migration configurable */ -ipa_auth_ctx-password_migration = true; +/* TODO: test and activate when server side support is available */ +ipa_auth_ctx-password_migration = false; ipa_auth_ctx-dp_err_type = DP_ERR_FATAL; ipa_auth_ctx-errnum = EIO; -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately
On Thu, Dec 17, 2009 at 01:09:56PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/16/2009 08:31 AM, Sumit Bose wrote: On Wed, Dec 16, 2009 at 02:03:44PM +0100, Sumit Bose wrote: On Wed, Dec 16, 2009 at 01:04:01PM +0100, Sumit Bose wrote: Hi, this patch should fix #326 Missing checks in PAM_PRELIM_CHECK Currently we collect old and new password in pam_sss and send them together to the sssd to change to password. But it is expected that during the first call to pam_sm_chauthtok, when PAM_PRELIM_CHECK is set, the old password is validated to give a feedback to the user before the new password is requested. Please check and test carefully. bye, Sumit aaahh, sorry, I found a flaw in the changes for the Kerberos provider. Please wait for a new version ... ok, new version attached, I also added Tomas suggestion. bye, Sumit Looks fine except for break; +break; default: DEBUG(1, (Unsupported PAM task.\n)); return NULL; The extra break here is unnecessary. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksqc/QACgkQeiVVYja6o6NggwCfVfkrLNJoWBPr4v0ognKzumYu ifwAnRk7/8u50LSxfk/q1f5h7rZrmX1I =wYs8 -END PGP SIGNATURE- fixed version attached. bye, Sumit From 5f68859a62d9e3ba806180a05eb1410473474ace Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 16 Dec 2009 12:53:55 +0100 Subject: [PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request. --- server/providers/data_provider_be.c |1 + server/providers/krb5/krb5_auth.c | 14 +++- server/providers/krb5/krb5_child.c | 36 -- server/providers/ldap/ldap_auth.c | 26 ++-- server/providers/proxy.c| 13 +++- server/responder/pam/pamsrv_cmd.c |6 + sss_client/pam_sss.c|2 +- sss_client/sss_cli.h|2 +- 8 files changed, 77 insertions(+), 23 deletions(-) diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index 02d5a0d..05f3eaf 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -565,6 +565,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) target = BET_ACCESS; break; case SSS_PAM_CHAUTHTOK: +case SSS_PAM_CHAUTHTOK_PRELIM: target = BET_CHPASS; break; default: diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 4581278..7301841 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -398,6 +398,7 @@ static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req) struct krb5_ctx); break; case SSS_PAM_CHAUTHTOK: +case SSS_PAM_CHAUTHTOK_PRELIM: return talloc_get_type(be_req-be_ctx-bet_info[BET_CHPASS].pvt_bet_data, struct krb5_ctx); break; @@ -685,14 +686,16 @@ void krb5_pam_handler(struct be_req *be_req) pd = talloc_get_type(be_req-req_data, struct pam_data); -if (pd-cmd != SSS_PAM_AUTHENTICATE pd-cmd != SSS_PAM_CHAUTHTOK) { +if (pd-cmd != SSS_PAM_AUTHENTICATE pd-cmd != SSS_PAM_CHAUTHTOK +pd-cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(4, (krb5 does not handles pam task %d.\n, pd-cmd)); pam_status = PAM_SUCCESS; dp_err = DP_ERR_OK; goto done; } -if (be_is_offline(be_req-be_ctx) pd-cmd == SSS_PAM_CHAUTHTOK) { +if (be_is_offline(be_req-be_ctx) +(pd-cmd == SSS_PAM_CHAUTHTOK || pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { DEBUG(9, (Password changes are not possible while offline.\n)); pam_status = PAM_AUTHINFO_UNAVAIL; dp_err = DP_ERR_OFFLINE; @@ -958,6 +961,12 @@ static void krb5_child_done(struct tevent_req *req) pd-pam_status = *msg_status; } +if (*msg_status == PAM_SUCCESS pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM) { +pam_status = PAM_SUCCESS; +dp_err = DP_ERR_OK; +goto done; +} + pref_len = strlen(CCACHE_ENV_NAME)+1; if (*msg_len pref_len strncmp((const char *) buf[p], CCACHE_ENV_NAME=, pref_len) == 0) { @@ -1047,6 +1056,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) switch(pd-cmd
Re: [SSSD] [PATCH] Do not overwrite valid TGTs when offline
On Fri, Dec 18, 2009 at 08:25:26AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/2009 07:27 AM, Sumit Bose wrote: Hi, this patch should fix #327. Currently an empty ticket is created if the client is offline. This patch checks if there already is a ccache file and if it contains a valid, i.e not expired, TGT. If this is true the ccache file and the TGT are used. bye, Sumit Nack. (Fri Dec 18 08:24:05 2009) [sssd[be[redhat.com]]] [load_backend_module] (0): Unable to load krb5 module with path (/usr/lib64/sssd/libsss_krb5.so), error: /usr/lib64/sssd/libsss_krb5.so: undefined symbol: check_for_valid_tgt This crashes the backend. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksrgsIACgkQeiVVYja6o6Nm3ACeJIJNsOHnhrehCcvzGL7UXIFa 13AAoJ8JolOv16XKgdziDSFh4Bev3Dz7 =jBI8 -END PGP SIGNATURE- aah, sorry, I forgot to put the Makefile.am change into the patch, now they are in. bye, Sumit From 10e658339cff9a0bf6fdc88a0809ebb2515a761e Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 17 Dec 2009 13:18:05 +0100 Subject: [PATCH] Do not overwrite valid TGTs when offline --- server/Makefile.am|3 +- server/providers/krb5/krb5_auth.c | 129 + server/providers/krb5/krb5_auth.h |1 + server/util/sss_krb5.c| 92 ++ server/util/sss_krb5.h|3 + 5 files changed, 185 insertions(+), 43 deletions(-) diff --git a/server/Makefile.am b/server/Makefile.am index a7fd8c4..9d17ee7 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -618,7 +618,8 @@ libsss_krb5_la_SOURCES = \ providers/krb5/krb5_become_user.c \ providers/krb5/krb5_auth.c \ providers/krb5/krb5_common.c \ -providers/krb5/krb5_init.c +providers/krb5/krb5_init.c \ +util/sss_krb5.c libsss_krb5_la_CFLAGS = \ $(AM_CFLAGS) \ $(DHASH_CFLAGS) diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 7301841..6e63c30 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -113,7 +113,8 @@ done: return ret; } -static errno_t check_if_ccache_file_is_used(uid_t uid, const char **ccname) +static errno_t check_if_ccache_file_is_used(uid_t uid, const char *ccname, +bool *result) { int ret; size_t offset = 0; @@ -121,15 +122,17 @@ static errno_t check_if_ccache_file_is_used(uid_t uid, const char **ccname) const char *filename; bool active; -if (ccname == NULL || *ccname == NULL) { +*result = false; + +if (ccname == NULL || *ccname == '\0') { return EINVAL; } -if (strncmp(*ccname, FILE:, 5) == 0) { +if (strncmp(ccname, FILE:, 5) == 0) { offset = 5; } -filename = *ccname + offset; +filename = ccname + offset; if (filename[0] != '/') { DEBUG(1, (Only absolute path names are allowed)); @@ -142,7 +145,6 @@ static errno_t check_if_ccache_file_is_used(uid_t uid, const char **ccname) DEBUG(1, (stat failed [%d][%s].\n, errno, strerror(errno))); return errno; } else if (ret == -1 errno == ENOENT) { -*ccname = NULL; return EOK; } @@ -165,17 +167,11 @@ static errno_t check_if_ccache_file_is_used(uid_t uid, const char **ccname) } if (!active) { -DEBUG(5, (User [%d] is not active, deleting old ccache file [%s].\n, - uid, filename)); -ret = unlink(filename); -if (ret == -1) { -DEBUG(1, (unlink failed [%d][%s].\n, errno, strerror(errno))); -return errno; -} -*ccname = NULL; +DEBUG(5, (User [%d] is not active\n, uid)); } else { DEBUG(9, (User [%d] is still active, reusing ccache file [%s].\n, uid, filename)); +*result = true; } return EOK; } @@ -734,12 +730,13 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) struct krb5_ctx *krb5_ctx; struct krb5child_req *kr = NULL; struct tevent_req *req; +krb5_error_code kerr; int ret; struct pam_data *pd; int pam_status=PAM_SYSTEM_ERR; int dp_err = DP_ERR_FATAL; const char *ccache_file = NULL; -const char *dummy; +const char *realm; ret = krb5_setup(be_req, kr); if (ret != EOK) { @@ -755,6 +752,12 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) goto failed; } +realm = dp_opt_get_cstring(krb5_ctx-opts, KRB5_REALM); +if (realm == NULL) { +DEBUG(1, (Missing
Re: [SSSD] [PATCH] disable password migration code
On Mon, Dec 21, 2009 at 01:24:26PM +1000, David O'Brien wrote: Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/2009 02:07 PM, Stephen Gallagher wrote: On 12/17/2009 01:57 PM, Sumit Bose wrote: Hi, this patch disables the IPA password migration code. Some issues where identified which needs some deeper disscusion about some internal interfaces. bye, Sumit Ack. Pushed to master and 1-0-0 Does this have any doc impact (man page or User Guide)? No, the password migration is supposed to happen behind the scenes. Additionally the server side part isn't committed yet so the client part hadn't done anything useful yet. bye, Sumit thanks -- David O'Brien Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix broken LOCAL password changes
On Mon, Dec 21, 2009 at 01:32:27PM +1000, David O'Brien wrote: Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/18/2009 03:30 PM, Simo Sorce wrote: On Fri, 18 Dec 2009 15:18:48 -0500 Stephen Gallagher sgall...@redhat.com wrote: We forgot the LOCAL provider when we added support for PAM_PRELIM_CHECK. ACK Simo. Pushed to master and 1-0-0. What's the doc impact or how do I use/test this? There is no impact on the docs. The change only affect how a password change request is processed internally. You can test it by trying to change a password of a local user. If it works everything is fine, id it fails either this patch is not applied or something else is broken. I have changed the way change password request are handled because of #326. In the patch for #326 I have changed the proxy, ldap and kerberos provider but forgot LOCAL. The visible change of #326 is the immediate response of the passwd command if the user provives a wrong 'old' password. Without the patch the user was asked for the old and the new password and only after entering both he got a response if the old password was wrong. bye, Sumit -- David O'Brien Red Hat Asia Pacific +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [Transifex] File submitted via email to SSSD | master
On Mon, Jan 04, 2010 at 01:44:49PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/30/2009 11:59 AM, ad...@transifex.net wrote: Hello sssd, this is Transifex at http://www.transifex.net. The following attached files were submitted to SSSD | master by goeran goe...@uddeborg.se Please, visit Transifex at http://www.transifex.net/projects/p/sssd/c/master/ in order to see the component page. Thank you, Transifex Patch 0001: Update the master branch for translations. This should have been done when we release 1.0.0, but it was overlooked. Patch 0002: Fix a typo in the SV translation. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Remove local provider from access_provider list
On Thu, Jan 07, 2010 at 12:04:01PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/07/2010 11:56 AM, Stephen Gallagher wrote: Addresses https://bugzilla.redhat.com/show_bug.cgi?id=552537 The entry for [provider/local/access] doesn't belong in the list. We have no special processing in the LOCAL provider for access control at this time. We should just be defaulting to permit. Sorry, forgot to include the test update in the patch. New patch attached. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktGFAEACgkQeiVVYja6o6ODdACbBBdhS7cs1MDe9NXxeuefXv5g G5MAn2azfpUD8j+Ax672/Sg6zBnMS6lB =svkG -END PGP SIGNATURE- From 702e812f5e0c22c0421e9a328a4e17ca4e3346e2 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgall...@redhat.com Date: Tue, 5 Jan 2010 08:18:07 -0500 Subject: [PATCH 1/4] Remove local provider from access_provider list Update test for provider list. --- server/config/SSSDConfigTest.py |2 +- server/config/etc/sssd.api.d/sssd-local.conf |2 -- 2 files changed, 1 insertions(+), 3 deletions(-) diff --git a/server/config/SSSDConfigTest.py b/server/config/SSSDConfigTest.py index 1e79342..7a3b733 100755 --- a/server/config/SSSDConfigTest.py +++ b/server/config/SSSDConfigTest.py @@ -494,7 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): control_provider_dict = { 'ipa': ['id', 'auth', 'access', 'chpass'], -'local': ['id', 'auth', 'access', 'chpass'], +'local': ['id', 'auth', 'chpass'], 'ldap': ['id', 'auth', 'chpass'], 'krb5': ['auth', 'access', 'chpass'], Please remove 'access' from krb5, too. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Add sysdb request to authenticate against a cached password
Hi, this patch move the validation against cached password from the PAM responder code to a sysdb tevent request. This allows e.g. the Kerberos provider to check a password on it own when offline. This is needed for features like 'kinit when going online' or 'automatic ticket renewal' where the Kerberos provider needs to keep the password in memory. I think this is no material for 1.0.x, but for 1.1.x. bye, Sumit From bc8d8ce024a0f56ee6323197b4b9b21077d651a7 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 7 Jan 2010 10:26:50 +0100 Subject: [PATCH] Add sysdb request to authenticate against a cached password The code for authentication against a cached password is moved from the pam responder to a generic sysdb tevent request. The new code can be used by other components of sssd to verify passwords on their own. Tests for the sysdb_cache_password and sysdb_cache_auth request are added and some unneeded or unused code and variables are removed. --- server/Makefile.am |1 - server/db/sysdb.h | 11 ++ server/db/sysdb_ops.c | 173 + server/responder/pam/pam_LOCAL_domain.c | 31 ++ server/responder/pam/pamsrv.h |2 - server/responder/pam/pamsrv_cache.c | 180 --- server/responder/pam/pamsrv_cmd.c | 62 +-- server/tests/sysdb-tests.c | 135 +++ 8 files changed, 378 insertions(+), 217 deletions(-) delete mode 100644 server/responder/pam/pamsrv_cache.c diff --git a/server/Makefile.am b/server/Makefile.am index 9d17ee7..370af75 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -342,7 +342,6 @@ sssd_nss_LDADD = \ sssd_pam_SOURCES = \ responder/pam/pam_LOCAL_domain.c \ responder/pam/pamsrv.c \ -responder/pam/pamsrv_cache.c \ responder/pam/pamsrv_cmd.c \ responder/pam/pamsrv_dp.c \ $(SSSD_UTIL_OBJ) \ diff --git a/server/db/sysdb.h b/server/db/sysdb.h index 641ec68..4c25549 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -542,6 +542,17 @@ struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx, const char *password); int sysdb_cache_password_recv(struct tevent_req *req); + +struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + const uint8_t *authtok, + size_t authtok_size, + struct confdb_ctx *cdb); +int sysdb_cache_auth_recv(struct tevent_req *req); + struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sysdb_handle *handle, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 86a9d33..36b5867 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4632,4 +4632,177 @@ int sysdb_delete_group_recv(struct tevent_req *req) return sysdb_op_default_recv(req); } +/* = Authentication against cached password */ +struct sysdb_cache_auth_state { +struct tevent_context *ev; +const char *name; +const uint8_t *authtok; +size_t authtok_size; +struct sss_domain_info *domain; +struct sysdb_ctx *sysdb; +struct confdb_ctx *cdb; +}; + +static void sysdb_cache_auth_get_attrs_done(struct tevent_req *subreq); + +struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + const uint8_t *authtok, + size_t authtok_size, + struct confdb_ctx *cdb) +{ +struct tevent_req *req; +struct tevent_req *subreq; +struct sysdb_cache_auth_state *state; + +if (name == NULL || *name == '\0') { +DEBUG(1, (Missing user name.\n)); +return NULL; +} + +if (cdb == NULL) { +DEBUG(1, (Missing config db context.\n)); +return NULL; +} + +if (sysdb == NULL) { +DEBUG(1, (Missing sysdb db context.\n)); +return NULL; +} + +static const char *attrs[] = {SYSDB_NAME, + SYSDB_CACHEDPWD, + SYSDB_DISABLED, + SYSDB_LAST_LOGIN
[SSSD] [PATCH] Rename PAM_USER_INFO to PAM_SYSTEM_INFO
Hi, this patch just renames PAM_USER_INFO to PAM_SYSTEM_INFO. Currently PAM_USER_INFO is only used to send messages which are written to syslog by the PAM client. It is planned to add new messages which will be displayed to the user, e.g. if offline authentication was used. To avoid confusion I think this name change makes sense. bye, Sumit From 3518cdf8501898fd3f7b57a90bd75b2b58395164 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 8 Jan 2010 14:52:17 +0100 Subject: [PATCH] Rename PAM_USER_INFO to PAM_SYSTEM_INFO --- server/providers/data_provider_be.c |2 +- server/providers/krb5/krb5_child.c |4 ++-- sss_client/pam_sss.c|6 +++--- sss_client/sss_cli.h|2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index e59f64a..40d5c8c 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -584,7 +584,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) if (!becli-bectx-bet_info[target].bet_ops) { DEBUG(7, (Undefined backend target.\n)); pd-pam_status = PAM_MODULE_UNKNOWN; -ret = pam_add_response(pd, PAM_USER_INFO, +ret = pam_add_response(pd, PAM_SYSTEM_INFO, sizeof(MSG_TARGET_NO_CONFIGURED), (const uint8_t *) MSG_TARGET_NO_CONFIGURED); if (ret != EOK) { diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 04cf1f0..a8eed71 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -300,7 +300,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, if (kerr == 0) { if(kr-pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM) { -ret = pack_response_packet(resp, PAM_SUCCESS, PAM_USER_INFO, +ret = pack_response_packet(resp, PAM_SUCCESS, PAM_SYSTEM_INFO, success); } else { if (kr-ccname == NULL) { @@ -324,7 +324,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, return NULL; } -ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg); +ret = pack_response_packet(resp, pam_status, PAM_SYSTEM_INFO, krb5_msg); sss_krb5_free_error_message(krb5_error_ctx, krb5_msg); } diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index 951a1dc..abd9706 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -397,12 +397,12 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) } switch(*type) { -case PAM_USER_INFO: +case PAM_SYSTEM_INFO: if (buf[p + (*len -1)] != '\0') { -D((user info does not end with \\0.)); +D((system info does not end with \\0.)); break; } -logger(pamh, LOG_INFO, user info: [%s], buf[p]); +logger(pamh, LOG_INFO, system info: [%s], buf[p]); break; case PAM_DOMAIN_NAME: D((domain name: [%s], buf[p])); diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index 7c18e1c..3996fff 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -169,7 +169,7 @@ enum sss_status { }; enum response_type { -PAM_USER_INFO = 0x01, +PAM_SYSTEM_INFO = 0x01, PAM_DOMAIN_NAME, PAM_ENV_ITEM,/* only pam environment */ ENV_ITEM,/* only user environment */ -- 1.6.5.2 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sss_groupshow - a utility to print properties of a local group
On Fri, Jan 15, 2010 at 06:55:29PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/15/2010 06:24 PM, Jakub Hrozek wrote: On 01/15/2010 06:22 PM, Jakub Hrozek wrote: This patch adds a utility called sss_groupshow that allows user to print properties of a group in the local domain. Fixes: #306 Self-nack, I realized it is missing changes to specfile, sorry for the noise.. Revised patch attached. Works nice, but can you add _() to the default output so it can get translated? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Improved VERSION handling
On Mon, Jan 18, 2010 at 09:45:08AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patch 0001: Use a version.m4 file instead of VERSION to set the version and prerelease version. This is done so that automake/autoconf will automatically detect changes to the file and process them accordingly, rather than manually being forced to rerun autoreconf if you change the version/prerelease version. Patch 0002: Add a 'prerelease-srpms' target to the toplevel Makefile if it is a git checkout. This will allow us to easily generate the n-v-r for the prerelease version of the SRPMs, as is done on the various automated builders. Patch 0003: Add a 'prerelease-rpms' target to the toplevel Makefile to automatically set the n-v-r when building local RPMs. NACK I think there is a patch missing which updates: common/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), server/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), sss_client/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sss_groupshow - a utility to print properties of a local group
On Tue, Jan 19, 2010 at 01:47:13PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/19/2010 01:33 PM, Stephen Gallagher wrote: On 01/19/2010 06:14 AM, Jakub Hrozek wrote: On 01/18/2010 05:28 PM, Sumit Bose wrote: Works nice, but can you add _() to the default output so it can get translated? bye, Sumit Sure, thanks for the review. New patch is attached. Nack. You missed: printf(\nMember users: ); ouch, sorry, fixed.. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] For consideration: split libdhash off into a shared library
On Tue, Jan 19, 2010 at 05:12:22PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/08/2010 03:01 PM, Stephen Gallagher wrote: On 01/08/2010 05:20 AM, Sumit Bose wrote: New patches attached. Patch 0001: Fix missing license information for libdhash Patch 0002: Updated patch splitting off libdhash, including COPYING files and examples/ files. I moved the example sources into their own subdirectory to make it simpler to include in the spec file. Self-nack. A closer inspection of the Fedora Packaging Guidelines suggests that static libraries shouldn't be packaged if it can be helped, or should be in a separate -static subpackage. This version of the patches removes the static library from the spec. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Update the url in the spec files
Hi, I just recognized that the url in the spec files is still pointing to freeipa. bye, Sumit From 869e25c6384f7e20addc893b393bede233a658e7 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 20 Jan 2010 10:16:16 +0100 Subject: [PATCH] Update the url in the spec files --- contrib/sssd.spec.in |2 +- contrib/suse/sssd.spec.in |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index e3baf04..649a898 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -8,7 +8,7 @@ Group: Applications/System Summary: System Security Services Daemon # The entire source code is GPLv3+ except replace/ which is LGPLv3+ License: GPLv3+ and LGPLv3+ -URL: http://www.freeipa.org/ +URL: http://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XX) diff --git a/contrib/suse/sssd.spec.in b/contrib/suse/sssd.spec.in index 3fd20f7..214387a 100644 --- a/contrib/suse/sssd.spec.in +++ b/contrib/suse/sssd.spec.in @@ -8,7 +8,7 @@ Group: Applications/System Summary: System Security Services Daemon # The entire source code is GPLv3+ except replace/ which is LGPLv3+ License: GPLv3+ and LGPLv3+ -URL: http://www.freeipa.org/ +URL: http://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XX) -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Improved VERSION handling
On Wed, Jan 20, 2010 at 01:44:38PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/19/2010 06:38 AM, Sumit Bose wrote: On Mon, Jan 18, 2010 at 09:45:08AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patch 0001: Use a version.m4 file instead of VERSION to set the version and prerelease version. This is done so that automake/autoconf will automatically detect changes to the file and process them accordingly, rather than manually being forced to rerun autoreconf if you change the version/prerelease version. Patch 0002: Add a 'prerelease-srpms' target to the toplevel Makefile if it is a git checkout. This will allow us to easily generate the n-v-r for the prerelease version of the SRPMs, as is done on the various automated builders. Patch 0003: Add a 'prerelease-rpms' target to the toplevel Makefile to automatically set the n-v-r when building local RPMs. NACK I think there is a patch missing which updates: common/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), server/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), sss_client/configure.ac:m4_esyscmd([cat ../VERSION |head -n1 | tr -d '\n']), bye, Sumit Thanks for catching that. I didn't realize those places were also relying on the VERSION file. New version of patch 0001 attached. Patch 0002 and 0003 are unaffected. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Check cache_credentials in sysdb_cache_auth_send()
Hi, although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore. bye, Sumit From c9200f7b9009681f209d13b9a8c96f7dcb706fe2 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 21 Jan 2010 10:46:14 +0100 Subject: [PATCH] Check cache_credentials in sysdb_cache_auth_send() --- server/db/sysdb_ops.c |5 + server/tests/sysdb-tests.c |9 + 2 files changed, 14 insertions(+), 0 deletions(-) diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 36b5867..469ed8d 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4674,6 +4674,11 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, return NULL; } +if (!domain-cache_credentials) { +DEBUG(3, (Cached credentials not available.\n)); +return NULL; +} + static const char *attrs[] = {SYSDB_NAME, SYSDB_CACHEDPWD, SYSDB_DISABLED, diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index 11fde6f..3cd5e7d 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -130,6 +130,15 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx) return ret; } +val[0] = TRUE; +ret = confdb_add_param(test_ctx-confdb, true, + config/domain/LOCAL, cache_credentials, val); +if (ret != EOK) { +fail(Could not initialize LOCAL domain); +talloc_free(test_ctx); +return ret; +} + ret = confdb_get_domain(test_ctx-confdb, local, test_ctx-domain); if (ret != EOK) { fail(Could not retrieve LOCAL domain); -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Rename PAM_USER_INFO to PAM_SYSTEM_INFO
On Fri, Jan 08, 2010 at 03:30:32PM +0100, Sumit Bose wrote: On Fri, Jan 08, 2010 at 03:10:21PM +0100, Tomas Mraz wrote: On Fri, 2010-01-08 at 15:01 +0100, Sumit Bose wrote: Hi, this patch just renames PAM_USER_INFO to PAM_SYSTEM_INFO. Currently PAM_USER_INFO is only used to send messages which are written to syslog by the PAM client. It is planned to add new messages which will be displayed to the user, e.g. if offline authentication was used. To avoid confusion I think this name change makes sense. I suggest to rename all the PAM_ prefixed constants which do not come from PAM library directly to SSSPAM_ prefix to avoid confusion or name conflict with the PAM library. Although I understand that is possibly an API break. I like this idea, I'll try to prepare a patch for this. I have added a new patch which changes all defines and enum values starting with PAM_ to SSS_PAM_. For your convenience I've added to original patch, too. bye, Sumit From 0d56c47da7ff2542d57cb4392f4e99c8c2322ff3 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 8 Jan 2010 14:52:17 +0100 Subject: [PATCH 1/2] Rename PAM_USER_INFO to PAM_SYSTEM_INFO --- server/providers/data_provider_be.c |2 +- server/providers/krb5/krb5_child.c |4 ++-- sss_client/pam_sss.c|6 +++--- sss_client/sss_cli.h|2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index 97cc9f8..72b671b 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -587,7 +587,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) if (!becli-bectx-bet_info[target].bet_ops) { DEBUG(7, (Undefined backend target.\n)); pd-pam_status = PAM_MODULE_UNKNOWN; -ret = pam_add_response(pd, PAM_USER_INFO, +ret = pam_add_response(pd, PAM_SYSTEM_INFO, sizeof(MSG_TARGET_NO_CONFIGURED), (const uint8_t *) MSG_TARGET_NO_CONFIGURED); if (ret != EOK) { diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 04cf1f0..a8eed71 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -300,7 +300,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, if (kerr == 0) { if(kr-pd-cmd == SSS_PAM_CHAUTHTOK_PRELIM) { -ret = pack_response_packet(resp, PAM_SUCCESS, PAM_USER_INFO, +ret = pack_response_packet(resp, PAM_SUCCESS, PAM_SYSTEM_INFO, success); } else { if (kr-ccname == NULL) { @@ -324,7 +324,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, return NULL; } -ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg); +ret = pack_response_packet(resp, pam_status, PAM_SYSTEM_INFO, krb5_msg); sss_krb5_free_error_message(krb5_error_ctx, krb5_msg); } diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index 951a1dc..abd9706 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -397,12 +397,12 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) } switch(*type) { -case PAM_USER_INFO: +case PAM_SYSTEM_INFO: if (buf[p + (*len -1)] != '\0') { -D((user info does not end with \\0.)); +D((system info does not end with \\0.)); break; } -logger(pamh, LOG_INFO, user info: [%s], buf[p]); +logger(pamh, LOG_INFO, system info: [%s], buf[p]); break; case PAM_DOMAIN_NAME: D((domain name: [%s], buf[p])); diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index 7c18e1c..3996fff 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -169,7 +169,7 @@ enum sss_status { }; enum response_type { -PAM_USER_INFO = 0x01, +PAM_SYSTEM_INFO = 0x01, PAM_DOMAIN_NAME, PAM_ENV_ITEM,/* only pam environment */ ENV_ITEM,/* only user environment */ -- 1.6.6 From 980cc16ecb113da95c8519216949bc59857f41ae Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 8 Jan 2010 17:39:09 +0100 Subject: [PATCH 2/2] Avoid 'PAM' at the beginning of define and enum names --- server/providers/data_provider_be.c |2 +- server/providers/krb5/krb5_auth.c |8 ++-- server/providers/krb5/krb5_child.c |7 ++-- server/responder/pam/pamsrv.c |8 ++-- server/responder/pam/pamsrv_cmd.c | 28 + sss_client/pam_sss.c| 55 ++- sss_client/sss_cli.h| 34 +++--- 7 files
Re: [SSSD] [PATCH] Pointers to non 32 bit aligned data were being cast to uint32_t *
On Thu, Jan 21, 2010 at 12:55:59PM -0600, George McCollister wrote: I've attached the patch generated using 'git format-patch -1' instead of using 'git send-email'. Hopefully this works better. Regards, George McCollister Thank you for your contribution. It is working great here. ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix size error on 64-bit systems
On Mon, Jan 25, 2010 at 08:57:15AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The patch for supporting integer alignment had a bug where we were memcpy()ing a 32-bit value onto a 64-bit size_t. This meant that it was overwriting the high-order bits, resulting in a much larger value than it should have had. This patch forces that variable to be 32-bit. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Check cache_credentials in sysdb_cache_auth_send()
On Tue, Jan 26, 2010 at 10:15:45AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/21/2010 10:00 AM, Sumit Bose wrote: Hi, although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore. bye, Sumit I'm not sure this is a good idea, unless you want to force provider=local domains to have cache_credentials=true. Right now, this will break authentication against the LOCAL domain if cache_credentials is not set. Currently provider=local domains do not use sysdb_cache_auth_send() although it might be a good idea let them use it to have only one place where the password hashes are compared. To make this work we should check for (cache_credentials==true || strcmp(domain-name, local) == 0) and add a new option similar to offline_credentials_expiration for local domains. But I would prefer to do this in a separate patch. What do you think? bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktfByEACgkQeiVVYja6o6OgMwCgoBQMYBvuP9wyA70LRMqTbUho MygAoJEOnB/G2X5idZcJXiio6Lvofluz =9qEn -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] First step to handle LDAP referrals
On Tue, Jan 26, 2010 at 01:21:31PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/20/2010 06:48 AM, Sumit Bose wrote: Hi, these two patches are a first step to handle LDAP referrals. The first patch changes the way we add a file descriptor event to the event loop. Currently it was extracted from the LDAP handle. But here only the fd to the 'primary' LDAP server is stored. If a referral is found and LDAP_OPT_REFERRALS is set to LDAP_OPT_ON the openLDAP library will open new connections to the new LDAP servers automatically. To keep track of the activity on these connection we need to add the new fds to the event loop, too. To get the fds this patch introduces a connection callback where the fd is extracted from the provided data and added to the event loop. There is another callback which removes the fd from the event loop when ldap_unbind is called. The second patch adds the config option ldap_referrals to switch the referral chasing on and off. Authentication with referrals currently work under the following conditions: - the DN of the user is the same on both LDAP servers - the LDAP server is RHDS/FDS/389, openLDAP does not return the 'Referral' error code when binding to a referral object bye, Sumit Nack. Patch 0001: Please use talloc_get_type() instead of casting lc_arg to (struct ldap_cb_data *). This is safer, as talloc_get_type() will return NULL if it is not in fact of type struct ldap_cb_data. I'd rather see an easy-to-track segfault than have us potentially clobbering data. Patch 0002: You need to add the new option to the SSSDConfig API as well, please. - -- Stephen Gallagher RHCE 804006346421761 New versions attached. bye, Sumit From 281180c78490b28d87d07c2dd148d510e6ccd1c7 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 19 Jan 2010 12:32:02 +0100 Subject: [PATCH 1/2] Use ldap connection callbacks to get file descriptors --- server/providers/ldap/sdap.h | 16 - server/providers/ldap/sdap_async.c| 101 ++--- server/providers/ldap/sdap_async_connection.c | 40 +++--- server/providers/ldap/sdap_async_private.h|7 +- 4 files changed, 121 insertions(+), 43 deletions(-) diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h index 2909f41..a5b9e83 100644 --- a/server/providers/ldap/sdap.h +++ b/server/providers/ldap/sdap.h @@ -53,11 +53,25 @@ struct sdap_op { struct sdap_msg *last; }; +struct fd_event_item { +struct fd_event_item *prev; +struct fd_event_item *next; + +int fd; +struct tevent_fd *fde; +}; + +struct ldap_cb_data { +struct sdap_handle *sh; +struct tevent_context *ev; +struct fd_event_item *fd_list; +}; + struct sdap_handle { LDAP *ldap; bool connected; -struct tevent_fd *fde; +struct ldap_conncb *conncb; struct sdap_op *ops; }; diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index 706101b..fd8c11e 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -91,13 +91,14 @@ static int sdap_handle_destructor(void *mem) static void sdap_handle_release(struct sdap_handle *sh) { -DEBUG(8, (Trace: sh[%p], connected[%d], ops[%p], fde[%p], ldap[%p]\n, - sh, (int)sh-connected, sh-ops, sh-fde, sh-ldap)); +DEBUG(8, (Trace: sh[%p], connected[%d], ops[%p], ldap[%p]\n, + sh, (int)sh-connected, sh-ops, sh-ldap)); if (sh-connected) { struct sdap_op *op; -talloc_zfree(sh-fde); +/* remove all related fd events from the event loop */ +talloc_zfree(sh-conncb-lc_arg); while (sh-ops) { op = sh-ops; @@ -110,26 +111,13 @@ static void sdap_handle_release(struct sdap_handle *sh) if (sh-ldap) { ldap_unbind_ext(sh-ldap, NULL, NULL); } +talloc_zfree(sh-conncb); sh-connected = false; sh-ldap = NULL; sh-ops = NULL; } } -static int get_fd_from_ldap(LDAP *ldap, int *fd) -{ -int ret; - -ret = ldap_get_option(ldap, LDAP_OPT_DESC, fd); -if (ret != LDAP_OPT_SUCCESS) { -DEBUG(1, (Failed to get fd from ldap!!\n)); -*fd = -1; -return EIO; -} - -return EOK; -} - /* ==Parse-Results-And-Handle-Disconnections== */ static void sdap_process_message(struct tevent_context *ev, struct sdap_handle *sh, LDAPMessage *msg); @@ -160,8 +148,8 @@ static void sdap_process_result(struct tevent_context *ev, void *pvt) LDAPMessage *msg; int ret; -DEBUG(8, (Trace: sh[%p], connected[%d], ops[%p], fde[%p], ldap[%p]\n, - sh, (int)sh-connected, sh-ops, sh-fde, sh-ldap)); +DEBUG(8, (Trace: sh[%p], connected[%d], ops[%p], ldap[%p]\n, + sh, (int)sh
[SSSD] [PATCH] Warn the user if authentication happens offline
Hi, this patch should fix #239. All translatable strings are in the pam client and now it should be quite easy to add new messages which should be presented to the user. It is quite easy to see this message for a console user, but currently a GUI user needs a very fast eye to catch the message in the gdm or screensaver window. Maybe we should ask the desktop people to send a PAM_TEXT_INFO message e.g. with libnotify to the user's desktop. bye, Sumit From 838ab215caf4674222ce5ef4497137fb9aee4650 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 28 Jan 2010 17:19:03 +0100 Subject: [PATCH] Warn the user if authentication happens offline --- server/db/sysdb.h |2 +- server/db/sysdb_ops.c | 17 +-- server/responder/pam/pamsrv_cmd.c | 20 +- server/tests/sysdb-tests.c|3 +- sss_client/pam_sss.c | 82 + sss_client/sss_cli.h |5 ++ 6 files changed, 121 insertions(+), 8 deletions(-) diff --git a/server/db/sysdb.h b/server/db/sysdb.h index 9b77edf..a6d9e69 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -557,7 +557,7 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, const uint8_t *authtok, size_t authtok_size, struct confdb_ctx *cdb); -int sysdb_cache_auth_recv(struct tevent_req *req); +int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date); struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 9a8c32e..33a3fb5 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4648,6 +4648,7 @@ struct sysdb_cache_auth_state { struct sysdb_attrs *update_attrs; bool authentication_successful; struct sysdb_handle *handle; +time_t expire_date; }; errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, @@ -4766,6 +4767,7 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, state-update_attrs = NULL; state-authentication_successful = false; state-handle = NULL; +state-expire_date = 0; subreq = sysdb_search_user_by_name_send(state, ev, sysdb, NULL, domain, name, attrs); @@ -4821,10 +4823,14 @@ static void sysdb_cache_auth_get_attrs_done(struct tevent_req *subreq) DEBUG(9, (Offline credentials expiration is [%d] days.\n, cred_expiration)); -if (cred_expiration lastLogin + (cred_expiration * 86400) time(NULL)) { -DEBUG(4, (Cached user entry is too old.\n)); -ret = EACCES; -goto done; +if (cred_expiration) { +state-expire_date = lastLogin + (cred_expiration * 86400); +if (state-expire_date time(NULL)) { +DEBUG(4, (Cached user entry is too old.\n)); +state-expire_date = 0; +ret = EACCES; +goto done; +} } ret = check_failed_login_attempts(state, state-cdb, ldb_msg, @@ -5024,10 +5030,11 @@ static void sysdb_cache_auth_done(struct tevent_req *subreq) return; } -int sysdb_cache_auth_recv(struct tevent_req *req) { +int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date) { struct sysdb_cache_auth_state *state = tevent_req_data(req, struct sysdb_cache_auth_state); TEVENT_REQ_RETURN_ON_ERROR(req); +*expire_date = state-expire_date; return (state-authentication_successful ? EOK : EINVAL); } diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index f89e73c..a4573e6 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -626,13 +626,31 @@ static void pam_cache_auth_done(struct tevent_req *req) int ret; struct pam_auth_req *preq = tevent_req_callback_data(req, struct pam_auth_req); +const uint32_t resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; +const size_t resp_len = sizeof(uint32_t) + sizeof(long long); +uint8_t *resp; +time_t expire_date = 0; +long long dummy; -ret = sysdb_cache_auth_recv(req); +ret = sysdb_cache_auth_recv(req, expire_date); talloc_zfree(req); switch (ret) { case EOK: preq-pd-pam_status = PAM_SUCCESS; +resp = talloc_size(preq-pd, resp_len); +if (resp == NULL) { +DEBUG(1, (talloc_size failed, cannot prepare user info.\n)); +} else { +memcpy(resp, resp_type, sizeof(uint32_t)); +dummy = (long long) expire_date; +memcpy(resp+sizeof(uint32_t), dummy, sizeof(long long)); +ret
Re: [SSSD] [PATCH] Add offline failed login counter
On Thu, Jan 28, 2010 at 02:52:21PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/2010 11:48 AM, Sumit Bose wrote: This new version of the patch adds the option offline_failed_login_delay. I think we should this scheme for the local domain, too, but with a separate set of config options (failed_login_count and failed_login_delay in the domain section). I'm not sure about the general online case because we might interfere with policies on the server. Nack. Please specify in the SSSDConfig API that the time is in minutes. fixed I think it would be more correct to return EIO if we fail to get the login delay or allowed attempts from confdb. EACCESS implies that we explicitly failed. fixed The DEBUG messages after failure to save SYSDB_LAST_LOGIN and SYSDB_FAILED_LOGIN_ATTEMPTS are wrong. fixed I'm not sure if this was intentional or not: if I'm reading this correctly, we're still saving the last failed login time every time it fails, even if we're already in the 5-minute waiting period. So, effectively, it's going to deny forever unless they wait five minutes. no, you are wrong, if check_failed_login_attempts() fails or denies access nothing is changed or updated. I think we probably want to stop storing the last failed login time once we hit our failed login counter, otherwise things might be frustrating for the user. On the other hand, this is a great way to defeat brute-force attacks, so I'm not sure how we want to proceed on this. I think this would be an unexpected behaviour and it might be a bit annoying to a user who didn't look too closely on his watch and retried after 4 minutes and 55 seconds. Also, would it be possible to return a message to the user that they've passed the maximum attempts and that they need to wait five minutes? (I'm thinking something similar to your Warn the user if authentication happens offline patch. This would be possible, but wouldn't this disclose too much information to an attacker? bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkth6u8ACgkQeiVVYja6o6NC/QCfavL52lGlMjmggte/NeK8onPv zZwAmgJHhaKywKvltDZh/wmtt49aDmB4 =RtX3 -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From e6d216f88f56549abd504db366ae6f4a3d935cee Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 25 Jan 2010 13:45:16 +0100 Subject: [PATCH] Add offline failed login counter --- server/Makefile.am | 13 +- server/confdb/confdb.h |4 + server/config/SSSDConfig.py |2 + server/config/etc/sssd.api.conf |2 + server/db/sysdb.h |6 + server/db/sysdb_ops.c | 240 +- server/man/sssd.conf.5.xml | 36 - server/responder/pam/pam_LOCAL_domain.c | 13 +- server/tests/auth-tests.c | 332 +++ 9 files changed, 631 insertions(+), 17 deletions(-) create mode 100644 server/tests/auth-tests.c diff --git a/server/Makefile.am b/server/Makefile.am index 7ba7ffa..3c02f65 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -75,7 +75,8 @@ if HAVE_CHECK files-tests \ refcount-tests \ fail_over-tests \ -find_uid-tests +find_uid-tests \ +auth-tests endif check_PROGRAMS = \ @@ -576,6 +577,16 @@ find_uid_tests_LDADD = \ $(DHASH_LIBS) \ $(CHECK_LIBS) +auth_tests_SOURCES = \ +tests/auth-tests.c \ +$(SSSD_UTIL_OBJ) +auth_tests_CFLAG = \ +$(AM_CFLAGS) \ +$(CHECK_CFLAGS) +auth_tests_LDADD = \ +$(SSSD_LIBS) \ +$(CHECK_LIBS) + endif stress_tests_SOURCES = \ diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index 7f6c63b..874f608 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -65,6 +65,10 @@ /* PAM */ #define CONFDB_PAM_CONF_ENTRY config/pam #define CONFDB_PAM_CRED_TIMEOUT offline_credentials_expiration +#define CONFDB_PAM_FAILED_LOGIN_ATTEMPTS offline_failed_login_attempts +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0 +#define CONFDB_PAM_FAILED_LOGIN_DELAY offline_failed_login_delay +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 /* Data Provider */ #define CONFDB_DP_CONF_ENTRY config/dp diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py index b08e9f4..b751e4d 100644 --- a/server/config/SSSDConfig.py +++ b/server/config/SSSDConfig.py @@ -61,6 +61,8 @@ option_strings = { # [pam] 'offline_credentials_expiration' : _('How
Re: [SSSD] [PATCH] Force offline operation with SIGUSR1
On Tue, Jan 26, 2010 at 09:42:52AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If the monitor receives SIGUSR1, it will instruct all providers to enter offline operation. If any individual provider receives SIGUSR1, it alone will enter offline operation. I'm fine with this patch. If you want to stay offline for longer time you can use a loop like while /bin/true; do pkill -USR1 '^sssd$'; sleep 10; done But I'm not sure if production code should catch USR1. Is there a use case to force sssd or a provider to go offline in production? If not I would recommend to make it configurable. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkte/2wACgkQeiVVYja6o6PDgwCcCxuD8wots8zmop4zJLTsuq9k pqYAn30Am/r2UXkmHxw1BDEgITEI7hEp =Hf4R -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add offline failed login counter
On Mon, Feb 01, 2010 at 08:29:09AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nack On 01/29/2010 05:51 AM, Sumit Bose wrote: On Thu, Jan 28, 2010 at 02:52:21PM -0500, Stephen Gallagher wrote: The DEBUG messages after failure to save SYSDB_LAST_LOGIN and SYSDB_FAILED_LOGIN_ATTEMPTS are wrong. fixed No it's not: +ret = sysdb_attrs_add_time_t(state-update_attrs, SYSDB_LAST_LOGIN, + time(NULL)); +if (ret != EOK) { +DEBUG(3, (sysdb_attrs_add_long failed, + but authentication is successful.\n)); +ret = EOK; +goto done; +} And several other similar ones. oh, sorry, I thought you've meant a different DEBUG message. I hope I've found all of them now. bye, Sumit From 817790bd683451db7f47d0bc9cdfbf329adf015f Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 25 Jan 2010 13:45:16 +0100 Subject: [PATCH] Add offline failed login counter --- server/Makefile.am | 13 +- server/confdb/confdb.h |4 + server/config/SSSDConfig.py |2 + server/config/etc/sssd.api.conf |2 + server/db/sysdb.h |6 + server/db/sysdb_ops.c | 240 +- server/man/sssd.conf.5.xml | 36 - server/responder/pam/pam_LOCAL_domain.c | 13 +- server/tests/auth-tests.c | 332 +++ 9 files changed, 631 insertions(+), 17 deletions(-) create mode 100644 server/tests/auth-tests.c diff --git a/server/Makefile.am b/server/Makefile.am index 7ba7ffa..3c02f65 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -75,7 +75,8 @@ if HAVE_CHECK files-tests \ refcount-tests \ fail_over-tests \ -find_uid-tests +find_uid-tests \ +auth-tests endif check_PROGRAMS = \ @@ -576,6 +577,16 @@ find_uid_tests_LDADD = \ $(DHASH_LIBS) \ $(CHECK_LIBS) +auth_tests_SOURCES = \ +tests/auth-tests.c \ +$(SSSD_UTIL_OBJ) +auth_tests_CFLAG = \ +$(AM_CFLAGS) \ +$(CHECK_CFLAGS) +auth_tests_LDADD = \ +$(SSSD_LIBS) \ +$(CHECK_LIBS) + endif stress_tests_SOURCES = \ diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index 7f6c63b..874f608 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -65,6 +65,10 @@ /* PAM */ #define CONFDB_PAM_CONF_ENTRY config/pam #define CONFDB_PAM_CRED_TIMEOUT offline_credentials_expiration +#define CONFDB_PAM_FAILED_LOGIN_ATTEMPTS offline_failed_login_attempts +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0 +#define CONFDB_PAM_FAILED_LOGIN_DELAY offline_failed_login_delay +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 /* Data Provider */ #define CONFDB_DP_CONF_ENTRY config/dp diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py index b08e9f4..b751e4d 100644 --- a/server/config/SSSDConfig.py +++ b/server/config/SSSDConfig.py @@ -61,6 +61,8 @@ option_strings = { # [pam] 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), +'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'), +'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), # [provider] 'id_provider' : _('Identity provider'), diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf index bdb6aab..5fc8e78 100644 --- a/server/config/etc/sssd.api.conf +++ b/server/config/etc/sssd.api.conf @@ -31,6 +31,8 @@ pwfield = str, None, * [pam] # Authentication service offline_credentials_expiration = int, None +offline_failed_login_attempts = int, None +offline_failed_login_delay = int, None [provider] #Available provider types diff --git a/server/db/sysdb.h b/server/db/sysdb.h index 4c25549..9b77edf 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -22,6 +22,7 @@ #ifndef __SYS_DB_H__ #define __SYS_DB_H__ +#include util/util.h #include confdb/confdb.h #include tevent.h @@ -66,6 +67,8 @@ #define SYSDB_LAST_LOGIN lastLogin #define SYSDB_LAST_ONLINE_AUTH lastOnlineAuth #define SYSDB_USERPIC userPicture +#define SYSDB_LAST_FAILED_LOGIN lastFailedLogin +#define SYSDB_FAILED_LOGIN_ATTEMPTS failedLoginAttempts #define SYSDB_LAST_UPDATE lastUpdate #define SYSDB_CACHE_EXPIRE dataExpireTimestamp @@ -543,6 +546,9 @@ struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx, int sysdb_cache_password_recv(struct tevent_req *req); +errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, +struct ldb_message *ldb_msg, +uint32_t *failed_login_attempts); struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx
Re: [SSSD] sssd.spec for SLES
Hi, this patch works for me. I think it's ok to integrate the changes as they are available. ACK bye, Sumit On Mon, Feb 01, 2010 at 08:54:06AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sergei, I appreciate the patch, but I'm going to recommend holding off on it for a couple days, as I'm currently working to split out several of our other libraries as well (path_utils, collection, ini and refarray), so it might be better to solve this all at once. On 02/01/2010 08:40 AM, Sergei V. Kovylov wrote: Hi all. Here is update of suse/sssd.spec.in file to meet current changes (splitting sssd and dhash, etc). - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktm3P4ACgkQeiVVYja6o6M7jACfSdWp9GyPxnMLP6g/kHLy4nlC t7YAn3eNDYNc1nggcYnpBQ/pXtOHD8Pu =mNvt -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Split off helper libraries into their own packages
On Mon, Feb 01, 2010 at 01:33:27PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patches 0001-0003: License and package libpath_utils Patches 0004-0007: License and package libcollection. (Patch 0005 fixes an incorrect #include in collection.h) Patch 0008-0011: License and package libini_config. (Patch 0009 fixes an array index mistake that was throwing a compiler warning and would have been a potential memory-corruption bug.) Patch 0012-0014: License and package libref_array These are all very simple patches, there are just a bunch of them :) It should be an easy review. NACK libini does not build anymore because it cannot find libcollection. The changes 0006-Split-off-libcollection-into-a-shared-library.patch does in server/ needs to be ported to common/ini/, too. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktnHnYACgkQeiVVYja6o6NMbQCfVEgQD9IGBaWsy8kdaO3sESGR p+sAoJK6Cp4iThTI0JfhcUpCo8QnLELT =TSTp -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Warn the user if authentication happens offline
On Mon, Feb 01, 2010 at 09:24:47AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/28/2010 11:37 AM, Sumit Bose wrote: Hi, this patch should fix #239. All translatable strings are in the pam client and now it should be quite easy to add new messages which should be presented to the user. It is quite easy to see this message for a console user, but currently a GUI user needs a very fast eye to catch the message in the gdm or screensaver window. Maybe we should ask the desktop people to send a PAM_TEXT_INFO message e.g. with libnotify to the user's desktop. bye, Sumit Nitpick: In the sysdb-tests, could you please add a simple check for whether expire_date is zero or nonzero (as appropriate). It probably wouldn't hurt to set the offline expiration both on and off and have a test for each. Otherwise the patch looks great. ok, new version with extended tests is attached. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktm5C8ACgkQeiVVYja6o6N9vQCfSg5P3JhIf87r1JkTFIFtyKDX Z/oAn3tLBoZeX7RA4P3Q2rR9ek+nEhS3 =wlye -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 81f1d67b334d6b6f2b7754f537f12f5aade029ef Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 28 Jan 2010 17:19:03 +0100 Subject: [PATCH] Warn the user if authentication happens offline --- server/db/sysdb.h |2 +- server/db/sysdb_ops.c | 20 +-- server/responder/pam/pamsrv_cmd.c | 20 +++- server/tests/sysdb-tests.c| 103 ++-- sss_client/pam_sss.c | 82 + sss_client/sss_cli.h |5 ++ 6 files changed, 219 insertions(+), 13 deletions(-) diff --git a/server/db/sysdb.h b/server/db/sysdb.h index 9b77edf..a6d9e69 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -557,7 +557,7 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, const uint8_t *authtok, size_t authtok_size, struct confdb_ctx *cdb); -int sysdb_cache_auth_recv(struct tevent_req *req); +int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date); struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index c1d996d..8dd81b3 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4648,6 +4648,7 @@ struct sysdb_cache_auth_state { struct sysdb_attrs *update_attrs; bool authentication_successful; struct sysdb_handle *handle; +time_t expire_date; }; errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, @@ -4766,6 +4767,7 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, state-update_attrs = NULL; state-authentication_successful = false; state-handle = NULL; +state-expire_date = -1; subreq = sysdb_search_user_by_name_send(state, ev, sysdb, NULL, domain, name, attrs); @@ -4821,10 +4823,16 @@ static void sysdb_cache_auth_get_attrs_done(struct tevent_req *subreq) DEBUG(9, (Offline credentials expiration is [%d] days.\n, cred_expiration)); -if (cred_expiration lastLogin + (cred_expiration * 86400) time(NULL)) { -DEBUG(4, (Cached user entry is too old.\n)); -ret = EACCES; -goto done; +if (cred_expiration) { +state-expire_date = lastLogin + (cred_expiration * 86400); +if (state-expire_date time(NULL)) { +DEBUG(4, (Cached user entry is too old.\n)); +state-expire_date = 0; +ret = EACCES; +goto done; +} +} else { +state-expire_date = 0; } ret = check_failed_login_attempts(state, state-cdb, ldb_msg, @@ -5026,9 +5034,11 @@ static void sysdb_cache_auth_done(struct tevent_req *subreq) return; } -int sysdb_cache_auth_recv(struct tevent_req *req) { +int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date) { struct sysdb_cache_auth_state *state = tevent_req_data(req, struct sysdb_cache_auth_state); +*expire_date = state-expire_date; + TEVENT_REQ_RETURN_ON_ERROR(req); return (state-authentication_successful ? EOK : EINVAL); diff --git a/server/responder/pam/pamsrv_cmd.c
Re: [SSSD] [PATCH] Make krb5 and open checks work if forking is disabled
On Wed, Feb 03, 2010 at 01:13:53PM +0100, Sumit Bose wrote: Hi, this patch fixes two unit tests which failed of CK_FORK is set to no. New version with a more detailed description and a check if strdup() was successful. bye, Sumit From f33fd73501bcfa6ab5329ba3b56612ccf355b986 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 2 Feb 2010 17:22:34 +0100 Subject: [PATCH] Make krb5 and open checks work if forking is disabled When CK_FORK is set to 'no' the fixtures are executed for every new test inside of the same process. Global variables must be set to the expected values by the fixtures. check_and_open-tests.c: the filename template for mkstemp() was a globally defined character string. After the first call to mkstemp() the trailing XX are substituted by random values, a second call to mkstemp() with this character string fails. This patch initialize the filename template before mkstemp() is called with the help of strdup() and the memory is freed in the teardown fixture. krb5_utils-tests.c: this patch sets the just freed global talloc context to NULL to make a consistency check in the setup fixture pass. --- server/tests/check_and_open-tests.c |6 +- server/tests/krb5_utils-tests.c |1 + 2 files changed, 6 insertions(+), 1 deletions(-) diff --git a/server/tests/check_and_open-tests.c b/server/tests/check_and_open-tests.c index 2e96455..b0d638b 100644 --- a/server/tests/check_and_open-tests.c +++ b/server/tests/check_and_open-tests.c @@ -32,7 +32,8 @@ #define SUFFIX .symlink -char filename[] = check_and_open-tests-XX; +#define FILENAME_TEMPLATE check_and_open-tests-XX +char *filename; uid_t uid; gid_t gid; mode_t mode; @@ -42,6 +43,8 @@ void setup_check_and_open(void) { int ret; +filename = strdup(FILENAME_TEMPLATE); +fail_unless(filename != NULL, strdup failed); ret = mkstemp(filename); fail_unless(ret != -1, mkstemp failed [%d][%s], errno, strerror(errno)); close(ret); @@ -63,6 +66,7 @@ void teardown_check_and_open(void) fail_unless(filename != NULL, unknown filename); ret = unlink(filename); +free(filename); fail_unless(ret == 0, unlink failed [%d][%s], errno, strerror(errno)); } diff --git a/server/tests/krb5_utils-tests.c b/server/tests/krb5_utils-tests.c index c3d9f4c..8676f3b 100644 --- a/server/tests/krb5_utils-tests.c +++ b/server/tests/krb5_utils-tests.c @@ -92,6 +92,7 @@ void free_talloc_context(void) int ret; fail_unless(tmp_ctx != NULL, Talloc context already freed.); ret = talloc_free(tmp_ctx); +tmp_ctx = NULL; fail_unless(ret == 0, Connot free talloc context.); } -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add missing include
On Thu, Feb 04, 2010 at 07:56:06PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A one liner - I noticed that pam_sss.c uses snprintf but does not include stdio.h (vsnprintf is used elsewhere which is declared in correctly included stdarg.h) I just wrote the same patch. ACK bye, Sumit -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEUEARECAAYFAktrGEYACgkQHsardTLnvCVC+wCeJ/UajRIbHg9uTkHZ8B9Iz3IG zkwAmMtYvjJW8tBM4W435ORBME0Ow0o= =EwMg -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Reactivate old fd handling conditionally
On Thu, Feb 04, 2010 at 09:02:51AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/04/2010 08:15 AM, Sumit Bose wrote: Hi, this path reintroduces the old way of handling the file description of a LDAP connection if the connection callback is not available. Using the old way we cannot handle LDAP referrals and I think we should generate a DEBUG message if ldap_referrals is set to 'true' and add a hint to the man page. Do you agree? I didn't put these changes in the patch to make the review easier because if can be compared line by line with commit 7c8f422495347e6ff829246ebf5d7faad9f6d160 'Use ldap connection callbacks to get file descriptors'. bye, Sumit The patch looks fine. I'd like to see the man page specify that ldap_referrals do not work for openldap libraries older than 2.4.12. The debug message should reflect the same. Please resubmit with these two changes. man page change and debug message are in the second patch. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktq04sACgkQeiVVYja6o6OOuwCdGDpYQNYgRCrKlD8fq6WPFiGi FEYAn1HWCbdPyiWJ+6Dm6qGbWBvZa5Gf =f6sA -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From e162de2fbf6e03bc5426537b46692db38315f5dd Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 4 Feb 2010 11:53:36 +0100 Subject: [PATCH 1/2] Reactivate old fd handling conditionally Older versions of openLDAP do not provide a connection callback. This patch adds a configure check to see if the callback is available and activates the old way of handling the file description of the LDAP connection. This also means that it is not possible to follow referrals. --- server/external/ldap.m4 |4 ++ server/providers/ldap/sdap.h |4 ++ server/providers/ldap/sdap_async.c| 44 + server/providers/ldap/sdap_async_connection.c | 25 +- server/providers/ldap/sdap_async_private.h|6 +++ 5 files changed, 82 insertions(+), 1 deletions(-) diff --git a/server/external/ldap.m4 b/server/external/ldap.m4 index a17ed7e..ee425d8 100644 --- a/server/external/ldap.m4 +++ b/server/external/ldap.m4 @@ -44,6 +44,10 @@ SAVE_LIBS=$LIBS CFLAGS=$CFLAGS $OPENLDAP_CFLAGS LIBS=$LIBS $OPENLDAP_LIBS AC_CHECK_FUNCS([ldap_control_create]) +AC_CHECK_MEMBERS([struct ldap_conncb.lc_arg], + [AC_DEFINE([HAVE_LDAP_CONNCB], [1], + [Define if LDAP connection callbacks are available])], + [], [[#include ldap.h]]) CFLAGS=$SAVE_CFLAGS LIBS=$SAVE_LIBS diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h index f32ce05..16dbb78 100644 --- a/server/providers/ldap/sdap.h +++ b/server/providers/ldap/sdap.h @@ -71,7 +71,11 @@ struct sdap_handle { LDAP *ldap; bool connected; +#ifdef HAVE_LDAP_CONNCB struct ldap_conncb *conncb; +#else +struct tevent_fd *fde; +#endif struct sdap_op *ops; }; diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index fd8c11e..88f1c4b 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -97,8 +97,12 @@ static void sdap_handle_release(struct sdap_handle *sh) if (sh-connected) { struct sdap_op *op; +#ifdef HAVE_LDAP_CONNCB /* remove all related fd events from the event loop */ talloc_zfree(sh-conncb-lc_arg); +#else +talloc_zfree(sh-fde); +#endif while (sh-ops) { op = sh-ops; @@ -111,7 +115,9 @@ static void sdap_handle_release(struct sdap_handle *sh) if (sh-ldap) { ldap_unbind_ext(sh-ldap, NULL, NULL); } +#ifdef HAVE_LDAP_CONNCB talloc_zfree(sh-conncb); +#endif sh-connected = false; sh-ldap = NULL; sh-ops = NULL; @@ -330,6 +336,7 @@ static void sdap_process_next_reply(struct tevent_context *ev, op-callback(op, op-list, EOK, op-data); } +#ifdef HAVE_LDAP_CONNCB int sdap_ldap_connect_callback_add(LDAP *ld, Sockbuf *sb, LDAPURLDesc *srv, struct sockaddr *addr, struct ldap_conncb *ctx) { @@ -404,6 +411,43 @@ void sdap_ldap_connect_callback_del(LDAP *ld, Sockbuf *sb, return; } +#else + +static int get_fd_from_ldap(LDAP *ldap, int *fd) +{ +int ret; + +ret = ldap_get_option(ldap, LDAP_OPT_DESC, fd); +if (ret != LDAP_OPT_SUCCESS) { +DEBUG(1, (Failed to get fd from ldap!!\n)); +*fd = -1; +return EIO
Re: [SSSD] [PATCH] Added option to use libcrypto from OpenSSL instead of NSS.
On Thu, Feb 04, 2010 at 11:37:57AM -0600, George McCollister wrote: Sumit, I've attached a new version of the patch with the changes you suggested. just some minor nitpicks: - please reformat the commit message to use multiple lines not longer than 80 characters Fixed. - can you rename SSS_SOURCES to SSS_CRYPT_SOURCES Thats what I meant to do in the first place. Fixed. - can you update the comment at the beginning of crypto_sha512crypt.c so that it is clear that this file uses calls from libcrypto and not from libnss3 Done. - please fix the following whitespace issues: Applying: Added option to use libcrypto instead of NSS. /tmp/sssd/.git/rebase-apply/patch:117: trailing whitespace. [ --enable-crypto Use OpenSSL crypto instead of NSS], /tmp/sssd/.git/rebase-apply/patch:271: trailing whitespace. /tmp/sssd/.git/rebase-apply/patch:292: trailing whitespace. * The final result will be added to the first context. */ /tmp/sssd/.git/rebase-apply/patch:147: new blank line at EOF. + warning: 4 lines add whitespace errors. I ran the last version of the patch through git apply and I only received 3 errors. I fixed everything I could find and now git apply is giving me no errors. Cheers, George McCollister ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add some more .gitignore entries
On Fri, Feb 05, 2010 at 09:20:04AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 config.rpath: Automatically generated autoconf/libtool file .pyc, .pyo: Compiled python file .pydevproject: Python project file from Eclipse. ACK bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Send a message to the user if the login is delayed
Hi, if the option offline_failed_login_delay is set the authentication is denied for the specified number of minutes if the user the given a wrong password for offline_failed_login_attempts times. This patch sends a message to the user telling him when a new authentication will be accepted. bye, Sumit From 1beeb7cb1ef07e9f30249084ee344d525f776df2 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 8 Feb 2010 09:25:53 +0100 Subject: [PATCH] Send a message to the user if the login is delayed --- server/db/sysdb.h |6 ++- server/db/sysdb_ops.c | 30 ++- server/responder/pam/pamsrv_cmd.c | 27 +++-- server/tests/auth-tests.c | 51 +++ server/tests/sysdb-tests.c| 12 ++- sss_client/pam_sss.c | 59 + sss_client/sss_cli.h |3 +- 7 files changed, 152 insertions(+), 36 deletions(-) diff --git a/server/db/sysdb.h b/server/db/sysdb.h index a6d9e69..cf97ed6 100644 --- a/server/db/sysdb.h +++ b/server/db/sysdb.h @@ -548,7 +548,8 @@ int sysdb_cache_password_recv(struct tevent_req *req); errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, struct ldb_message *ldb_msg, -uint32_t *failed_login_attempts); +uint32_t *failed_login_attempts, +time_t *delayed_until); struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sysdb_ctx *sysdb, @@ -557,7 +558,8 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, const uint8_t *authtok, size_t authtok_size, struct confdb_ctx *cdb); -int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date); +int sysdb_cache_auth_recv(struct tevent_req *req, time_t *expire_date, + time_t *delayed_until); struct tevent_req *sysdb_store_custom_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index ccb5815..33cfd91 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4649,17 +4649,21 @@ struct sysdb_cache_auth_state { bool authentication_successful; struct sysdb_handle *handle; time_t expire_date; +time_t delayed_until; }; errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, struct ldb_message *ldb_msg, -uint32_t *failed_login_attempts) +uint32_t *failed_login_attempts, +time_t *delayed_until) { int ret; int allowed_failed_login_attempts; int failed_login_delay; time_t last_failed_login; +time_t end; +*delayed_until = -1; *failed_login_attempts = ldb_msg_find_attr_as_uint(ldb_msg, SYSDB_FAILED_LOGIN_ATTEMPTS, 0); last_failed_login = (time_t) ldb_msg_find_attr_as_int64(ldb_msg, @@ -4687,11 +4691,17 @@ errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, if (allowed_failed_login_attempts) { if (*failed_login_attempts = allowed_failed_login_attempts) { -if (failed_login_delay -last_failed_login + (failed_login_delay * 60) time(NULL)) { -DEBUG(7, (failed_login_delay has passed, - resetting failed_login_attempts.\n)); -*failed_login_attempts = 0; +if (failed_login_delay) { +end = last_failed_login + (failed_login_delay * 60); +if (end time(NULL)) { +DEBUG(7, (failed_login_delay has passed, + resetting failed_login_attempts.\n)); +*failed_login_attempts = 0; +} else { +DEBUG(7, (login delayed until %lld.\n, (long long) end)); +*delayed_until = end; +return EACCES; +} } else { DEBUG(4, (Too many failed logins.\n)); return EACCES; @@ -4768,6 +4778,7 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, state-authentication_successful = false; state-handle = NULL; state-expire_date = -1; +state-delayed_until = -1; subreq = sysdb_search_user_by_name_send(state, ev, sysdb, NULL, domain, name, attrs); @@ -4836,7 +4847,8 @@ static void sysdb_cache_auth_get_attrs_done(struct
[SSSD] [PATCH] Fix handling of the global context in the leak detector
Hi, this patch fixes the handling of the global context in the leak test routine of some unit tests. Now it is initialize only once. bye, Sumit From 0cc6afa7dd30d7eec063639721fe45f2caac822b Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 5 Feb 2010 13:02:32 +0100 Subject: [PATCH] Fix handling of the global context in the leak detector --- server/tests/common.c |2 ++ server/tests/common.h |2 +- 2 files changed, 3 insertions(+), 1 deletions(-) diff --git a/server/tests/common.c b/server/tests/common.c index dad9dc6..50dc61b 100644 --- a/server/tests/common.c +++ b/server/tests/common.c @@ -29,6 +29,8 @@ #include util/dlinklist.h #include util/util.h +TALLOC_CTX *global_talloc_context = NULL; + struct size_snapshot { struct size_snapshot *prev; struct size_snapshot *next; diff --git a/server/tests/common.h b/server/tests/common.h index 44e2d9a..0e954d7 100644 --- a/server/tests/common.h +++ b/server/tests/common.h @@ -3,7 +3,7 @@ #include talloc.h -TALLOC_CTX *global_talloc_context; +extern TALLOC_CTX *global_talloc_context; #define check_leaks(ctx, bytes) _check_leaks((ctx), (bytes), __location__) void _check_leaks(TALLOC_CTX *ctx, -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Make return values more specific during password change
Hi, with this patch a user should get a better hint what went wrong if a password change operation failed. bye, Sumit From 2addacf0378e3083e6e5b2fd80fdc5e90877a201 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 8 Feb 2010 11:53:43 +0100 Subject: [PATCH] Make return values more specific during password change - return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password change operation fails - send a message to the user if the system is offline and the password cannot be changed --- server/providers/krb5/krb5_child.c |1 + server/providers/ldap/ldap_auth.c |8 ++- server/responder/pam/pamsrv_cmd.c | 92 +-- sss_client/pam_sss.c | 24 + sss_client/sss_cli.h |3 +- 5 files changed, 87 insertions(+), 41 deletions(-) diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 08e16b4..b730326 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -579,6 +579,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) result_string.length, result_string.data)); } +pam_status = PAM_AUTHTOK_ERR; goto sendresponse; } diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index fbb4e53..1d1346c 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -772,7 +772,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req) if (pw_expire_type == PWEXPIRE_SHADOW) { /* TODO: implement async ldap modify request */ DEBUG(1, (Changing shadow password attributes not implemented.\n)); -state-pd-pam_status = PAM_SYSTEM_ERR; +state-pd-pam_status = PAM_MODULE_UNKNOWN; goto done; } else { subreq = sdap_exop_modify_passwd_send(state, @@ -791,7 +791,9 @@ static void sdap_auth4chpass_done(struct tevent_req *req) return; } break; - +case SDAP_AUTH_FAILED: +state-pd-pam_status = PAM_AUTH_ERR; +break; default: state-pd-pam_status = PAM_SYSTEM_ERR; } @@ -821,7 +823,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req) dp_err = DP_ERR_OK; break; default: -state-pd-pam_status = PAM_SYSTEM_ERR; +state-pd-pam_status = PAM_AUTHTOK_ERR; } done: diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 3172a97..69e492c 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -484,50 +484,68 @@ static void pam_reply(struct pam_auth_req *preq) struct tevent_req *req; struct sysdb_ctx *sysdb; struct pam_ctx *pctx; +uint32_t user_info_type; pd = preq-pd; DEBUG(4, (pam_reply get called.\n)); -if ((pd-cmd == SSS_PAM_AUTHENTICATE) -(preq-domain != NULL) -(preq-domain-cache_credentials == true) -(pd-offline_auth == false)) { +if (pd-pam_status == PAM_AUTHINFO_UNAVAIL) { +switch(pd-cmd) { +case SSS_PAM_AUTHENTICATE: +if ((preq-domain != NULL) +(preq-domain-cache_credentials == true) +(pd-offline_auth == false)) { -if (pd-pam_status == PAM_AUTHINFO_UNAVAIL) { -/* do auth with offline credentials */ -pd-offline_auth = true; +/* do auth with offline credentials */ +pd-offline_auth = true; -ret = sysdb_get_ctx_from_list(preq-cctx-rctx-db_list, - preq-domain, sysdb); -if (ret != EOK) { -DEBUG(0, (Fatal: Sysdb CTX not found for this domain!\n)); -goto done; -} - -pctx = talloc_get_type(preq-cctx-rctx-pvt_ctx, struct pam_ctx); - -req = sysdb_cache_auth_send(preq, preq-cctx-ev, sysdb, -preq-domain, pd-user, pd-authtok, -pd-authtok_size, pctx-rctx-cdb); -if (req == NULL) { -DEBUG(1, (Failed to setup offline auth)); -/* this error is not fatal, continue */ -} else { -tevent_req_set_callback(req, pam_cache_auth_done, preq); -return; -} -} -} +ret = sysdb_get_ctx_from_list(preq-cctx-rctx-db_list, + preq-domain, sysdb); +if (ret != EOK) { +DEBUG(0, (Fatal: Sysdb CTX not found for + domain [%s]!\n, preq-domain-name)); +goto done; +} +pctx = talloc_get_type(preq-cctx-rctx-pvt_ctx, + struct
Re: [SSSD] [PATCH] Make return values more specific during password change
On Mon, Feb 08, 2010 at 02:45:21PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/08/2010 08:56 AM, Sumit Bose wrote: Hi, with this patch a user should get a better hint what went wrong if a password change operation failed. Nack (minor nitpicks): DEBUG(1, (Failed to setup offline auth)); Missing '\n' DEBUG(5, (Password change not possible while offline)); Missing '\n' DEBUG(1, (Unknow PAM call [%d].\n, pd-cmd)); s/Unknow/Unknown/ new version attached bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktwadEACgkQeiVVYja6o6M0vwCfWa3/bxJL3iXEp+hn584ekg7H RIwAmgLHopEAq84DHfPpwEVQlOSj4DVx =Hax8 -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 08347b649ee066dfba16f81dcb52e2b1777ca48c Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 8 Feb 2010 11:53:43 +0100 Subject: [PATCH] Make return values more specific during password change - return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password change operation fails - send a message to the user if the system is offline and the password cannot be changed --- server/providers/krb5/krb5_child.c |1 + server/providers/ldap/ldap_auth.c |8 ++- server/responder/pam/pamsrv_cmd.c | 92 +-- sss_client/pam_sss.c | 24 + sss_client/sss_cli.h |3 +- 5 files changed, 87 insertions(+), 41 deletions(-) diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 08e16b4..b730326 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -579,6 +579,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) result_string.length, result_string.data)); } +pam_status = PAM_AUTHTOK_ERR; goto sendresponse; } diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index fbb4e53..1d1346c 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -772,7 +772,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req) if (pw_expire_type == PWEXPIRE_SHADOW) { /* TODO: implement async ldap modify request */ DEBUG(1, (Changing shadow password attributes not implemented.\n)); -state-pd-pam_status = PAM_SYSTEM_ERR; +state-pd-pam_status = PAM_MODULE_UNKNOWN; goto done; } else { subreq = sdap_exop_modify_passwd_send(state, @@ -791,7 +791,9 @@ static void sdap_auth4chpass_done(struct tevent_req *req) return; } break; - +case SDAP_AUTH_FAILED: +state-pd-pam_status = PAM_AUTH_ERR; +break; default: state-pd-pam_status = PAM_SYSTEM_ERR; } @@ -821,7 +823,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req) dp_err = DP_ERR_OK; break; default: -state-pd-pam_status = PAM_SYSTEM_ERR; +state-pd-pam_status = PAM_AUTHTOK_ERR; } done: diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 3172a97..c204e0a 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -484,50 +484,68 @@ static void pam_reply(struct pam_auth_req *preq) struct tevent_req *req; struct sysdb_ctx *sysdb; struct pam_ctx *pctx; +uint32_t user_info_type; pd = preq-pd; DEBUG(4, (pam_reply get called.\n)); -if ((pd-cmd == SSS_PAM_AUTHENTICATE) -(preq-domain != NULL) -(preq-domain-cache_credentials == true) -(pd-offline_auth == false)) { +if (pd-pam_status == PAM_AUTHINFO_UNAVAIL) { +switch(pd-cmd) { +case SSS_PAM_AUTHENTICATE: +if ((preq-domain != NULL) +(preq-domain-cache_credentials == true) +(pd-offline_auth == false)) { -if (pd-pam_status == PAM_AUTHINFO_UNAVAIL) { -/* do auth with offline credentials */ -pd-offline_auth = true; +/* do auth with offline credentials */ +pd-offline_auth = true; -ret = sysdb_get_ctx_from_list(preq-cctx-rctx-db_list, - preq-domain, sysdb); -if (ret != EOK) { -DEBUG(0, (Fatal: Sysdb CTX not found for this domain!\n)); -goto done; -} - -pctx = talloc_get_type(preq-cctx-rctx-pvt_ctx, struct pam_ctx
Re: [SSSD] [PATCH] sss_groupshow improvements
On Mon, Feb 08, 2010 at 09:01:29PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This patch fixes the following issues: * man page issues (#395) * show info on MPGs (#396) * recursively print indirect members (#397) * the list of groupnames is comma separated (#398) * output inconsistencies (#399) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktwbZkACgkQHsardTLnvCUl6gCffDSrlRrfr955H9o8Y55PteLz Kk8AoOk4Y1CgJuXXT4KcVulQDfMrkCko =38ve -END PGP SIGNATURE- NACK + +if (state-recursive == false) { +/* if not recursive, just fill in names */ +state-root-group_members = talloc_array(state-root, + struct group_info *, + nmembers+1); +for (i=0; group_members[i]; i++) { +state-root-group_members[i] = talloc_zero(state-root, +struct group_info); if there are no group members group_members==NULL. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sss_groupshow improvements
On Tue, Feb 09, 2010 at 10:39:28PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/09/2010 02:08 PM, Jakub Hrozek wrote: Although I did not manage to reproduce the segfault, the backtrace looked like an uninitialized nmembers variable..new patch is attached. Several other improvements related to the way we display info about the MPGs were discussed off-list, this patch factors them in. Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktx1hAACgkQHsardTLnvCVXNwCfedeYn+IVQg0TAGBwSbn1svcA AToAoJ97bOeTXJCmSwOgJavGFbWZc2Cm =2tqm -END PGP SIGNATURE- + +subreq = group_show_recurse_send(state-root, state, + state-root, + group_members, + nmembers); +if (ret != EOK) { +tevent_req_error(req, ret); +return; +} +tevent_req_set_callback(subreq, group_show_recurse_done, req); +} + I think 'if (!subreq)' fits better here. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix other memory alignment issues
On Tue, Feb 09, 2010 at 10:39:35PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Similar to George McCollister's patch to the pam code, this patch fixes other places in the code where we forced data into 32-bit alignment. Fixes: #390 George was testing KRB authentication with this patch and confirmed[1] it was working for him on ARM. I was running SSSD with this patch on x86_64 and did not spot any regressions. [1] https://fedorahosted.org/sssd/ticket/390#comment:3 This patch works on i686, too. Please remove the FIXME. The assignment was introduced in commit 2b4d76971e4ad803b42051fddb3add9fe2215dc2 with no special reason. bye, Sumit -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktx1hcACgkQHsardTLnvCUADwCgt9M05Clp45G7IUVLe/sFiJ1n ov8AoKSP2QGpoFXvAGGyEbmjfmBlG5sP =a2Yy -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix other memory alignment issues
On Wed, Feb 10, 2010 at 01:21:04PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/10/2010 11:55 AM, Sumit Bose wrote: This patch works on i686, too. Please remove the FIXME. The assignment was introduced in commit 2b4d76971e4ad803b42051fddb3add9fe2215dc2 with no special reason. bye, Sumit attached ACK bye, Sumit -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktypK8ACgkQHsardTLnvCXEowCgweCFSuOOlfdpDlVDVu3YsAyt 2ZAAn0OOAlRS4rOBpO4kRb1LeLDaJHjC =3nt9 -END PGP SIGNATURE- From 80541ad346728f5df4fb21760fe4d0f7ca26fee5 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Mon, 25 Jan 2010 23:59:03 +0100 Subject: [PATCH] Fix other memory alignment issues Similar to George McCollister's patch to the pam code, this patch fixes other places in the code where we forced data into 32-bit alignment. Fixes: #390 --- server/providers/krb5/krb5_auth.c | 32 +++ server/providers/krb5/krb5_child.c | 31 ++ server/providers/ldap/ldap_child.c | 13 +++ server/providers/ldap/sdap_child_helpers.c | 21 ++--- 4 files changed, 55 insertions(+), 42 deletions(-) diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index c013ea8..fd0a063 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -301,6 +301,7 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) size_t rp; const char *keytab; uint32_t validate; +uint32_t c = 0; keytab = dp_opt_get_cstring(kr-krb5_ctx-opts, KRB5_KEYTAB); if (keytab == NULL) { @@ -331,47 +332,50 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) } rp = 0; -((uint32_t *)(buf-data[rp]))[0] = kr-pd-cmd; +memcpy(buf-data[rp], kr-pd-cmd, sizeof(uint32_t)); rp += sizeof(uint32_t); -((uint32_t *)(buf-data[rp]))[0] = kr-pd-pw_uid; +memcpy(buf-data[rp], kr-pd-pw_uid, sizeof(uint32_t)); rp += sizeof(uint32_t); -((uint32_t *)(buf-data[rp]))[0] = kr-pd-gr_gid; +memcpy(buf-data[rp], kr-pd-gr_gid, sizeof(uint32_t)); rp += sizeof(uint32_t); -((uint32_t *)(buf-data[rp]))[0] = validate; +memcpy(buf-data[rp], validate, sizeof(uint32_t)); rp += sizeof(uint32_t); -((uint32_t *)(buf-data[rp]))[0] = kr-is_offline; +memcpy(buf-data[rp], kr-is_offline, sizeof(uint32_t)); rp += sizeof(uint32_t); -((uint32_t *)(buf-data[rp]))[0] = (uint32_t) strlen(kr-pd-upn); +c = (uint32_t) strlen(kr-pd-upn); +memcpy(buf-data[rp], c, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], kr-pd-upn, strlen(kr-pd-upn)); -rp += strlen(kr-pd-upn); +memcpy(buf-data[rp], kr-pd-upn, c); +rp += c; -((uint32_t *)(buf-data[rp]))[0] = (uint32_t) strlen(kr-ccname); +c = (uint32_t) strlen(kr-ccname); +memcpy(buf-data[rp], c, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], kr-ccname, strlen(kr-ccname)); +memcpy(buf-data[rp], kr-ccname, c); rp += strlen(kr-ccname); -((uint32_t *)(buf-data[rp]))[0] = (uint32_t) strlen(keytab); +c = (uint32_t) strlen(keytab); +memcpy(buf-data[rp], c, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], keytab, strlen(keytab)); +memcpy(buf-data[rp], keytab, c); rp += strlen(keytab); -((uint32_t *)(buf-data[rp]))[0] = kr-pd-authtok_size; +memcpy(buf-data[rp], kr-pd-authtok_size, sizeof(uint32_t)); rp += sizeof(uint32_t); memcpy(buf-data[rp], kr-pd-authtok, kr-pd-authtok_size); rp += kr-pd-authtok_size; if (kr-pd-cmd == SSS_PAM_CHAUTHTOK) { -((uint32_t *)(buf-data[rp]))[0] = kr-pd-newauthtok_size; +memcpy(buf-data[rp], kr-pd-newauthtok_size, sizeof(uint32_t)); rp += sizeof(uint32_t); memcpy(buf-data[rp], kr-pd-newauthtok, kr-pd-newauthtok_size); diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 08e16b4..f4de846 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -260,6 +260,7 @@ static errno_t pack_response_packet(struct response *resp, int status, int type, { int len; int p=0; +int32_t c; len = strlen(data)+1; if ((3*sizeof(int32_t) + len +1) resp-max_size) { @@ -267,13 +268,16 @@ static errno_t pack_response_packet(struct response *resp, int status, int type, return ENOMEM; } -((int32_t *)(resp-buf[p]))[0] = status; +c = status; +memcpy(resp-buf[p], c, sizeof(int32_t)); p += sizeof(int32_t); -((int32_t *)(resp-buf[p]))[0] = type
Re: [SSSD] [PATCH] sss_groupshow improvements
On Wed, Feb 10, 2010 at 05:29:04PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yet another iteration to fix yet another bug.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkty3tAACgkQHsardTLnvCXgtACfV5Ij7XoWGMI4hCmXQHG4IOnZ 4vYAnjWHG9wZ5d2ABlTQ7gfr9VYSnbJu =jaeY -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Add check for broken LDAP connection callbacks
Hi, this patch extends the test for LDAP connection callbacks. There is a bug in OpenLDAP 2.4.12 which makes ldap_set_option() fail. Now it is first check if the ldap_conncb structure is available and then if ldap_set_option() succeeds. bye, Sumit From df6dcf338c4fef8428949ced3de4a28cf9282088 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 12 Feb 2010 12:23:12 +0100 Subject: [PATCH] Add check for broken LDAP connection callbacks --- server/external/ldap.m4| 12 +++- server/man/sssd-ldap.5.xml |2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/server/external/ldap.m4 b/server/external/ldap.m4 index ee425d8..87d95fa 100644 --- a/server/external/ldap.m4 +++ b/server/external/ldap.m4 @@ -45,9 +45,19 @@ CFLAGS=$CFLAGS $OPENLDAP_CFLAGS LIBS=$LIBS $OPENLDAP_LIBS AC_CHECK_FUNCS([ldap_control_create]) AC_CHECK_MEMBERS([struct ldap_conncb.lc_arg], - [AC_DEFINE([HAVE_LDAP_CONNCB], [1], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[ #include ldap.h ]], + [[ + struct ldap_conncb cb; + return ldap_set_option(NULL, LDAP_OPT_CONNECT_CB, cb); + ]] )], + [AC_DEFINE([HAVE_LDAP_CONNCB], [1], [Define if LDAP connection callbacks are available])], + [AC_MSG_WARN([Found broken callback implementation])], + [])], [], [[#include ldap.h]]) + CFLAGS=$SAVE_CFLAGS LIBS=$SAVE_LIBS diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 2ef5143..b79cbbc 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -623,7 +623,7 @@ /para para Please note that sssd only supports referral chasing -when it is compiled with OpenLDAP version 2.4.12 or +when it is compiled with OpenLDAP version 2.4.13 or higher. /para para -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Turn the ConfDB into its own package
On Fri, Feb 12, 2010 at 10:31:04AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/2010 09:17 AM, Stephen Gallagher wrote: On 02/12/2010 08:08 AM, Stephen Gallagher wrote: On 02/12/2010 08:04 AM, Sumit Bose wrote: I have two comments: +docs: all + $(MAKE) -C server $@ why do I have 'make all' before I can create the docs? It would be nice to get a message about missing doxygen instead of 'true doxy.config' if doxygen is not installed. Ah, these are leftovers from when I was building the docs as part of the installable data (for the RPM). We don't need the dependency on 'all', and I can change the configure test for doxygen. Replacing $(DOXYGEN) with 'true' was there to ensure that 'make install' didn't fail trying to build the docs. I will prepare a new patch. New patch attached. This patch uses @echo and @exit. Otherwise it is identical to the previous one I sent. ACK bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt1dDcACgkQeiVVYja6o6NMNgCeKnwdz9+s/Pz6EG77B37mjzK3 bxcAn11ZT8wEsEcICkhKMViivwoijU+B =yNZU -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Make PAM responses more compatible with D-BUS spec
On Fri, Feb 12, 2010 at 03:47:28PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Previously, the PAM responses could contain an arbitrary number of arguments. This is not acceptable by the D-BUS protocol, as there is no way to introspect it. This patch converts the response objects to be an array of D-BUS structs. It also fixes two potential memory leaks by not unref'ing the reply object if we get an error. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt1vmAACgkQeiVVYja6o6PAXACfRVdVlc0/L8/on2sjAh7fKSXM PowAoJgRVQUcxMvGnj/FkrJZRegZYNbh =oX+3 -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Supress warnings with -O2
On Mon, Feb 15, 2010 at 12:26:42PM +0100, Jakub Hrozek wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/15/2010 11:42 AM, Sumit Bose wrote: Hi, I would solve two issues differently: OK, sounds good. Thanks for the suggestions. New patch is attached. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt5L3EACgkQHsardTLnvCWrpACfc4dMfPla4K8B+BNBlbKKH7Ji +tMAnAhqFKTY1QouPpXY7s5vhOh1eBCO =orcM -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] Merge sss_client into a single project with sss_daemon
On Wed, Feb 17, 2010 at 11:41:45AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 0001: Move sss_client into a subdirectory of server, updating the configure script and Makefile.am 0002: Merge the translation files into a single sss_daemon pot 0003: Remove any files no longer needed (build files from sss_client and the old .po[t] files - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt8HEMACgkQeiVVYja6o6NQ/wCfWl3xhB6ra+gbVt1lA9J49ySk 4H0An1zKMQclOqJ3sdR+YwIIVHy+JDku =KEdH -END PGP SIGNATURE- This patch passed 'make distcheck' and some other test I've done, but I have some issues: - BUILD.txt needs some update - I would vote for renaming server/ to src/ - what do you think of putting all man pages in man/ and creating the API doc in doc/? bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Remove unneeded items from struct pam_data
Hi, while documenting the PAM DBUS API I found that we send some needless values. This patch removes them. bye, Sumit From d648df02e296d9750c068cf95d8c576f824438a6 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 18 Feb 2010 11:39:39 +0100 Subject: [PATCH] Remove unneeded items from struct pam_data --- server/providers/data_provider.h |4 -- server/providers/dp_auth_util.c|6 --- server/providers/krb5/krb5_auth.c | 46 +++ server/providers/krb5/krb5_auth.h |3 ++ server/providers/krb5/krb5_child.c | 71 server/providers/krb5/krb5_utils.c |8 ++-- server/responder/pam/pamsrv_cmd.c | 18 - server/tests/krb5_utils-tests.c|4 +- 8 files changed, 71 insertions(+), 89 deletions(-) diff --git a/server/providers/data_provider.h b/server/providers/data_provider.h index c524662..7421eed 100644 --- a/server/providers/data_provider.h +++ b/server/providers/data_provider.h @@ -112,10 +112,6 @@ struct pam_data { bool offline_auth; bool last_auth_saved; int priv; -uid_t pw_uid; -gid_t gr_gid; - -const char *upn; }; /* from dp_auth_util.c */ diff --git a/server/providers/dp_auth_util.c b/server/providers/dp_auth_util.c index 39cc0f6..16fb28c 100644 --- a/server/providers/dp_auth_util.c +++ b/server/providers/dp_auth_util.c @@ -35,8 +35,6 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, (newauthtok type: %d\n, pd-newauthtok_type)); DEBUG(l, (newauthtok size: %d\n, pd-newauthtok_size)); DEBUG(l, (priv: %d\n, pd-priv)); -DEBUG(l, (pw_uid: %d\n, pd-pw_uid)); -DEBUG(l, (gr_gid: %d\n, pd-gr_gid)); DEBUG(l, (cli_pid: %d\n, pd-cli_pid)); } @@ -86,8 +84,6 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) (pd-newauthtok), pd-newauthtok_size, DBUS_TYPE_INT32, (pd-priv), - DBUS_TYPE_INT32, (pd-pw_uid), - DBUS_TYPE_INT32, (pd-gr_gid), DBUS_TYPE_UINT32, (pd-cli_pid), DBUS_TYPE_INVALID); @@ -115,8 +111,6 @@ bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbu (pd-newauthtok), (pd-newauthtok_size), DBUS_TYPE_INT32, (pd-priv), -DBUS_TYPE_INT32, (pd-pw_uid), -DBUS_TYPE_INT32, (pd-gr_gid), DBUS_TYPE_UINT32, (pd-cli_pid), DBUS_TYPE_INVALID); diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index fd0a063..5b9e30e 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -317,7 +317,7 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) return ENOMEM; } -buf-size = 9*sizeof(uint32_t) + strlen(kr-pd-upn) + strlen(kr-ccname) + +buf-size = 9*sizeof(uint32_t) + strlen(kr-upn) + strlen(kr-ccname) + strlen(keytab) + kr-pd-authtok_size; if (kr-pd-cmd == SSS_PAM_CHAUTHTOK) { @@ -335,10 +335,10 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) memcpy(buf-data[rp], kr-pd-cmd, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], kr-pd-pw_uid, sizeof(uint32_t)); +memcpy(buf-data[rp], kr-uid, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], kr-pd-gr_gid, sizeof(uint32_t)); +memcpy(buf-data[rp], kr-gid, sizeof(uint32_t)); rp += sizeof(uint32_t); memcpy(buf-data[rp], validate, sizeof(uint32_t)); @@ -347,11 +347,11 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) memcpy(buf-data[rp], kr-is_offline, sizeof(uint32_t)); rp += sizeof(uint32_t); -c = (uint32_t) strlen(kr-pd-upn); +c = (uint32_t) strlen(kr-upn); memcpy(buf-data[rp], c, sizeof(uint32_t)); rp += sizeof(uint32_t); -memcpy(buf-data[rp], kr-pd-upn, c); +memcpy(buf-data[rp], kr-upn, c); rp += c; c = (uint32_t) strlen(kr-ccname); @@ -543,7 +543,7 @@ static errno_t fork_child(struct krb5child_req *kr) * ccache file. In this case we can drop the privileges, too. */ if (!dp_opt_get_bool(kr-krb5_ctx-opts, KRB5_VALIDATE) || kr-pd-authtok_size == 0) { -ret = become_user(kr-pd-pw_uid, kr-pd-gr_gid); +ret = become_user(kr-uid, kr-gid); if (ret != EOK) { DEBUG(1, (become_user failed.\n)); return ret; @@ -745,7 +745,7 @@ void krb5_pam_handler(struct be_req *be_req) goto done; } -attrs = talloc_array(be_req
Re: [SSSD] [PATCHES] Merge sss_client into a single project with sss_daemon
On Thu, Feb 18, 2010 at 08:39:57AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/18/2010 07:17 AM, Stephen Gallagher wrote: On 02/18/2010 06:18 AM, Sumit Bose wrote: On Wed, Feb 17, 2010 at 11:41:45AM -0500, Stephen Gallagher wrote: 0001: Move sss_client into a subdirectory of server, updating the configure script and Makefile.am 0002: Merge the translation files into a single sss_daemon pot 0003: Remove any files no longer needed (build files from sss_client and the old .po[t] files This patch passed 'make distcheck' and some other test I've done, but I have some issues: - BUILD.txt needs some update Ah, I completely forgot about that. Thanks. - I would vote for renaming server/ to src/ Yeah, I was planning to do pretty much exactly that in a follow-up patch. I'll add that now. - what do you think of putting all man pages in man/ and creating the API doc in doc/? Ok, I'll do that too. It's a good idea. More patches forthcoming! bye, Sumit Two new patches (these apply atop the three I already sent) Patch 0004: Rename server to src Patch 0005: Build manpages from one location If you approve all five patches, please reorganize your doxygen patch(es) to use a common location as well. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt9Qy0ACgkQeiVVYja6o6M/AgCfZDWSGuPFZoVz1Rs7pIhD2xXY flIAn3nAJ7lE5+s5QwPFkPexqycSlIiB =3Le5 -END PGP SIGNATURE- ACK to all 5. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Fix bad merge with sss_client licensing
On Thu, Feb 18, 2010 at 05:16:37PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SSIA - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt9vEUACgkQeiVVYja6o6N11wCdEps/TEP8Hp7+MP04jCxUz41k ogEAnjqAMHE9A8mqHa/E44C0jEfzW6ha =qrp2 -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add documentation for PAM response messages
On Thu, Feb 18, 2010 at 08:42:04AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2010 08:14 AM, Sumit Bose wrote: Hi, this patch documents the PAM response messages which can be send by the components of the sssd to the PAM client. Nack. Please include the server-side documentation as well. And given the source reorganization, this will need to be rebased as well. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt9Q6wACgkQeiVVYja6o6NNSACdFQHh4CjIU6PypV2WwJMWfPpI 91EAn0lOcHL6g3BVLifj+IqJblUs3T1i =PQd+ -END PGP SIGNATURE- new and rebased version attached. bye, Sumit From acd96aa07de8dbd505aff8bbfc3400ce9c5598cb Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 15 Feb 2010 15:05:07 +0100 Subject: [PATCH] Add documentation for PAM response messages --- .gitignore|1 + src/doxy.config.in|4 +- src/providers/data_provider.h | 69 + src/sss_client/sss_cli.h | 219 + 4 files changed, 273 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index 8550ae3..478cd7f 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ config.rpath config.h config.h.in cscope.out +doxy.config Makefile Makefile.in Makefile.in.in diff --git a/src/doxy.config.in b/src/doxy.config.in index 6c14749..a9070e5 100644 --- a/src/doxy.config.in +++ b/src/doxy.config.in @@ -578,7 +578,9 @@ WARN_LOGFILE = # directories like /usr/src/myproject. Separate the files or directories # with spaces. -INPUT = @srcdir@/confdb +INPUT = @srcdir@/confdb \ + @srcdir@/providers/data_provider.h \ + @srcdir@/sss_client/sss_cli.h # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 76ba4cf..5dd774d 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -56,8 +56,77 @@ #define DP_METHOD_REGISTER RegisterService #define DP_METHOD_ONLINE getOnline #define DP_METHOD_GETACCTINFO getAccountInfo +/** + * @defgroup pamHandler PAM DBUS request + * @ingroup sss_pam + * + * The PAM responder send all the data it has received from the PAM client to + * the authentication backend with a DBUS message. + * + * As a response it expects basically a PAM return value (see pam(3) for + * details) and the name of the domain. The backend may send any number of + * additional messages (see ...) which are forwarded by the PAM responder to + * the PAM client. + * @{ + */ + +/** Then pamHandler Request + * + * The following two functions can help you to pack and unpack the DBUS + * message for a PAM request. If it is necessary to create the DBUS message by + * hand it must have the following elements: + * + * @param DBUS_TYPE_INT32 PAM Command, see #sss_cli_command for allowed values + * @param DBUS_TYPE_STRING Name of the Domain + * @param DBUS_TYPE_STRING User name, this value is send by the PAM client and + * contains the value of the PAM item PAM_USER + * @param DBUS_TYPE_STRING Service name, this value is send by the PAM client + * and contains the value of the PAM item PAM_SERVICE + * @param DBUS_TYPE_STRING TTY name this value is send by the PAM client and + * contains the value of the PAM item PAM_TTY + * @param DBUS_TYPE_STRING Remote user, this value is send by the PAM client + * and contains the value of the PAM item PAM_RUSER + * @param DBUS_TYPE_STRING Remote host, this value is send by the PAM client + * and contains the value of the PAM item PAM_RHOST + * @param DBUS_TYPE_UINT32 Type of the authentication token, see #sss_authtok_type + * for allowed values + * @param DBUS_TYPE_ARRAY__(BYTE) Authentication token, DBUS array which + * contains the authentication token, it is not required that passwords have a + * trailing \\0, this value is send by the PAM client and contains the value of + * the PAM item PAM_AUTHTOK or PAM_OLDAUTHTOK if the PAM command is + * #SSS_PAM_CHAUTHTOK or #SSS_PAM_CHAUTHTOK_PRELIM + * @param DBUS_TYPE_UINT32 Type of the new authentication token, see + * #sss_authtok_type for allowed values + * @param DBUS_TYPE_ARRAY__(BYTE) New authentication token, DBUS array which + * contains the new authentication token for a password change, it is not + * required that passwords have a trailing \\0, this value is send by the PAM + * client and contains the value of the PAM item PAM_AUTHTOK if the PAM + * command is #SSS_PAM_CHAUTHTOK or #SSS_PAM_CHAUTHTOK_PRELIM
Re: [SSSD] [PATCH] Remove unneeded items from struct pam_data
On Thu, Feb 18, 2010 at 01:26:01PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/18/2010 06:44 AM, Sumit Bose wrote: Hi, while documenting the PAM DBUS API I found that we send some needless values. This patch removes them. Sumit, would you mind rebasing this patch atop Jakub's Use macros to hide memcpy calls patch? They're in conflict. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt9hjkACgkQeiVVYja6o6NIdQCZAazZCTn58Z3yhW04Q8thyuID YbEAniF4jH5kMPOyQW5tBYCQ2KHnqLfm =Nk79 -END PGP SIGNATURE- rebased version attached. bye, Sumit From a283f9edcc0439750cce48d6a11c868460af7fbd Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 18 Feb 2010 11:39:39 +0100 Subject: [PATCH] Remove unneeded items from struct pam_data --- src/providers/data_provider.h |4 -- src/providers/dp_auth_util.c|6 --- src/providers/krb5/krb5_auth.c | 46 - src/providers/krb5/krb5_auth.h |3 ++ src/providers/krb5/krb5_child.c | 71 +- src/providers/krb5/krb5_utils.c |8 ++-- src/responder/pam/pamsrv_cmd.c | 18 -- src/tests/krb5_utils-tests.c|4 +- 8 files changed, 71 insertions(+), 89 deletions(-) diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 5dd774d..661bd98 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -181,10 +181,6 @@ struct pam_data { bool offline_auth; bool last_auth_saved; int priv; -uid_t pw_uid; -gid_t gr_gid; - -const char *upn; }; /* from dp_auth_util.c */ diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c index 39cc0f6..16fb28c 100644 --- a/src/providers/dp_auth_util.c +++ b/src/providers/dp_auth_util.c @@ -35,8 +35,6 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, (newauthtok type: %d\n, pd-newauthtok_type)); DEBUG(l, (newauthtok size: %d\n, pd-newauthtok_size)); DEBUG(l, (priv: %d\n, pd-priv)); -DEBUG(l, (pw_uid: %d\n, pd-pw_uid)); -DEBUG(l, (gr_gid: %d\n, pd-gr_gid)); DEBUG(l, (cli_pid: %d\n, pd-cli_pid)); } @@ -86,8 +84,6 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) (pd-newauthtok), pd-newauthtok_size, DBUS_TYPE_INT32, (pd-priv), - DBUS_TYPE_INT32, (pd-pw_uid), - DBUS_TYPE_INT32, (pd-gr_gid), DBUS_TYPE_UINT32, (pd-cli_pid), DBUS_TYPE_INVALID); @@ -115,8 +111,6 @@ bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbu (pd-newauthtok), (pd-newauthtok_size), DBUS_TYPE_INT32, (pd-priv), -DBUS_TYPE_INT32, (pd-pw_uid), -DBUS_TYPE_INT32, (pd-gr_gid), DBUS_TYPE_UINT32, (pd-cli_pid), DBUS_TYPE_INVALID); diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a2dadc8..27d6aeb 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -316,7 +316,7 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) return ENOMEM; } -buf-size = 9*sizeof(uint32_t) + strlen(kr-pd-upn) + strlen(kr-ccname) + +buf-size = 9*sizeof(uint32_t) + strlen(kr-upn) + strlen(kr-ccname) + strlen(keytab) + kr-pd-authtok_size; if (kr-pd-cmd == SSS_PAM_CHAUTHTOK) { @@ -332,13 +332,13 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) rp = 0; COPY_UINT32(buf-data[rp], kr-pd-cmd, rp); -COPY_UINT32(buf-data[rp], kr-pd-pw_uid, rp); -COPY_UINT32(buf-data[rp], kr-pd-gr_gid, rp); +COPY_UINT32(buf-data[rp], kr-uid, rp); +COPY_UINT32(buf-data[rp], kr-gid, rp); COPY_UINT32(buf-data[rp], validate, rp); COPY_UINT32(buf-data[rp], kr-is_offline, rp); -COPY_UINT32_VALUE(buf-data[rp], strlen(kr-pd-upn), rp); -COPY_MEM(buf-data[rp], kr-pd-upn, rp, strlen(kr-pd-upn)); +COPY_UINT32_VALUE(buf-data[rp], strlen(kr-upn), rp); +COPY_MEM(buf-data[rp], kr-upn, rp, strlen(kr-upn)); COPY_UINT32_VALUE(buf-data[rp], strlen(kr-ccname), rp); COPY_MEM(buf-data[rp], kr-ccname, rp, strlen(kr-ccname)); @@ -516,7 +516,7 @@ static errno_t fork_child(struct krb5child_req *kr) * ccache
[SSSD] [PATCH] Check and set permissions on SBUS sockets
Hi, this patch should fix #403. libdbus is so nice to call chmod(0777) explicitly on a newly created socket so we have to call chmod() explicitly too to change the permissions. I would prefer the call fchmod(), but I didn't found a way to get the file descriptor of the socket out of libdbus. If anyone knows a way I would be happy to update the patch. bye, Sumit From 745d5069da29e61d6beb6027a87a81672a48b153 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 16 Feb 2010 15:53:56 +0100 Subject: [PATCH 1/2] Check and set permissions on SBUS sockets --- src/confdb/confdb_setup.c|3 +- src/sbus/sbus_client.c | 13 ++ src/sbus/sssd_dbus_server.c | 24 src/tests/check_and_open-tests.c | 17 src/tests/files-tests.c |2 +- src/util/check_and_open.c| 76 -- src/util/util.h | 16 +++- 7 files changed, 128 insertions(+), 23 deletions(-) diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index 3c10c06..77cd5f9 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -285,7 +285,8 @@ int confdb_init_db(const char *config_file, struct confdb_ctx *cdb) tmp_ctx = talloc_new(cdb); if (tmp_ctx == NULL) return ENOMEM; -ret = check_and_open_readonly(config_file, fd, 0, 0, (S_IRUSR|S_IWUSR)); +ret = check_and_open_readonly(config_file, fd, 0, 0, (S_IRUSR|S_IWUSR), + CHECK_REG); if (ret != EOK) { DEBUG(1, (Permission check on config file failed.\n)); talloc_zfree(tmp_ctx); diff --git a/src/sbus/sbus_client.c b/src/sbus/sbus_client.c index df5c071..1c5c1b2 100644 --- a/src/sbus/sbus_client.c +++ b/src/sbus/sbus_client.c @@ -33,12 +33,25 @@ int sbus_client_init(TALLOC_CTX *mem_ctx, { struct sbus_connection *conn = NULL; int ret; +char *filename; /* Validate input */ if (server_address == NULL) { return EINVAL; } +filename = strchr(server_address, '/'); +if (filename == NULL) { +DEBUG(1, (Unexpected dbus address [%s].\n, server_address)); +return EIO; +} + +ret = check_file(filename, 0, 0, 0600, CHECK_SOCK, NULL); +if (ret != EOK) { +DEBUG(1, (check_file failed for [%s].\n, filename)); +return EIO; +} + ret = sbus_new_connection(mem_ctx, ev, server_address, intf, conn); if (ret != EOK) { goto fail; diff --git a/src/sbus/sssd_dbus_server.c b/src/sbus/sssd_dbus_server.c index a859cba..b4b8894 100644 --- a/src/sbus/sssd_dbus_server.c +++ b/src/sbus/sssd_dbus_server.c @@ -19,6 +19,9 @@ along with this program. If not, see http://www.gnu.org/licenses/. */ #include sys/time.h +#include sys/types.h +#include sys/stat.h + #include tevent.h #include util/util.h #include dbus/dbus.h @@ -95,6 +98,8 @@ int sbus_new_server(TALLOC_CTX *mem_ctx, DBusError dbus_error; dbus_bool_t dbret; char *tmp; +int ret; +char *filename; *_server = NULL; @@ -108,6 +113,25 @@ int sbus_new_server(TALLOC_CTX *mem_ctx, return EIO; } +filename = strchr(address, '/'); +if (filename == NULL) { +DEBUG(1, (Unexpected dbus address [%s].\n, address)); +return EIO; +} + +ret = check_file(filename, 0, 0, 0777, CHECK_SOCK, NULL); +if (ret != EOK) { +DEBUG(1, (check_file failed for [%s].\n, filename)); +return EIO; +} + +ret = chmod(filename, 0600); +if (ret != EOK) { +DEBUG(1, (chmod failed for [%s]: [%d][%s].\n, filename, errno, + strerror(errno))); +return EIO; +} + tmp = dbus_server_get_address(dbus_server); DEBUG(3, (D-BUS Server listening on %s\n, tmp)); free(tmp); diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c index b0d638b..32cf09f 100644 --- a/src/tests/check_and_open-tests.c +++ b/src/tests/check_and_open-tests.c @@ -74,7 +74,7 @@ START_TEST(test_wrong_filename) { int ret; -ret = check_and_open_readonly(/bla/bla/bla, fd, uid, gid, mode); +ret = check_and_open_readonly(/bla/bla/bla, fd, uid, gid, mode, CHECK_REG); fail_unless(ret == ENOENT, check_and_open_readonly succeeded on non-existing file); fail_unless(fd == -1, check_and_open_readonly file descriptor not -1); @@ -99,7 +99,7 @@ START_TEST(test_symlink) ret = symlink(filename, newpath); fail_unless(ret == 0, symlink failed [%d][%s], ret, strerror(ret)); -ret = check_and_open_readonly(newpath, fd, uid, gid, mode); +ret = check_and_open_readonly(newpath, fd, uid, gid, mode, CHECK_REG); unlink(newpath); fail_unless(ret == EINVAL, check_and_open_readonly succeeded on symlink); @@ -111,7 +111,7 @@ START_TEST(test_not_regular_file) { int ret; -ret = check_and_open_readonly(/dev/null, fd, uid
[SSSD] [PATCH] Fix two typos
Hi, by change I found these two typos. bye, Sumit From e1cccaa4b21f43ce84ac47f96078a0a9a0ead2a0 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 19 Feb 2010 16:42:13 +0100 Subject: [PATCH] Fix two typos --- src/Makefile.am |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index bc53e4e..a37cf7d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -601,7 +601,7 @@ find_uid_tests_LDADD = \ auth_tests_SOURCES = \ tests/auth-tests.c \ $(SSSD_UTIL_OBJ) -auth_tests_CFLAG = \ +auth_tests_CFLAGS = \ $(AM_CFLAGS) \ $(CHECK_CFLAGS) auth_tests_LDADD = \ @@ -610,7 +610,7 @@ auth_tests_LDADD = \ ipa_ldap_opt_tests_SOURCES = \ tests/ipa_ldap_opt-tests.c -ipa_ldap_opt_tests_CFLAG = \ +ipa_ldap_opt_tests_CFLAGS = \ $(AM_CFLAGS) \ $(CHECK_CFLAGS) ipa_ldap_opt_tests_LDADD = \ -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Send Kerberos environment after password change
Hi, I just realized that the Kerberos environment variables are not send back to the client during a password change. This would result in missing variables if you log in while your password is expired and a new one is set. bye, Sumit From 370accf6a4ee95149e061b24ad30cc6c071c1cf7 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 19 Feb 2010 16:42:50 +0100 Subject: [PATCH] Send Kerberos environment after password change --- src/providers/krb5/krb5_auth.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 27d6aeb..0e5230c 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1106,7 +1106,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) int ret; char *password = NULL; -if (pd-cmd == SSS_PAM_AUTHENTICATE) { +if (pd-cmd == SSS_PAM_AUTHENTICATE || pd-cmd == SSS_PAM_CHAUTHTOK) { ret = add_krb5_env(krb5_ctx-opts, kr-ccname, pd); if (ret != EOK) { DEBUG(1, (add_krb5_env failed.\n)); -- 1.6.6 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Check and set permissions on SBUS sockets
On Fri, Feb 19, 2010 at 03:46:43PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/19/2010 08:49 AM, Sumit Bose wrote: Hi, this patch should fix #403. libdbus is so nice to call chmod(0777) explicitly on a newly created socket so we have to call chmod() explicitly too to change the permissions. I would prefer the call fchmod(), but I didn't found a way to get the file descriptor of the socket out of libdbus. If anyone knows a way I would be happy to update the patch. Nack. Don't check for 0777 permissions. Check that the permissions are NOT 0600 and correct it if so. New version attached. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkt++LMACgkQeiVVYja6o6NZfQCfVLfcUWyLpz6eEHcovyffYk00 9mQAnApUr4mmQC6Eojn3to/hJ/sLJqi7 =OoE0 -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 7b9727184150335ac5e3824a92e0109258a60f45 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 16 Feb 2010 15:53:56 +0100 Subject: [PATCH 1/2] Check and set permissions on SBUS sockets --- src/confdb/confdb_setup.c|3 +- src/sbus/sbus_client.c | 13 ++ src/sbus/sssd_dbus_server.c | 27 src/tests/check_and_open-tests.c | 17 src/tests/files-tests.c |2 +- src/util/check_and_open.c| 87 +++-- src/util/util.h | 17 +++- 7 files changed, 141 insertions(+), 25 deletions(-) diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index 3c10c06..77cd5f9 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -285,7 +285,8 @@ int confdb_init_db(const char *config_file, struct confdb_ctx *cdb) tmp_ctx = talloc_new(cdb); if (tmp_ctx == NULL) return ENOMEM; -ret = check_and_open_readonly(config_file, fd, 0, 0, (S_IRUSR|S_IWUSR)); +ret = check_and_open_readonly(config_file, fd, 0, 0, (S_IRUSR|S_IWUSR), + CHECK_REG); if (ret != EOK) { DEBUG(1, (Permission check on config file failed.\n)); talloc_zfree(tmp_ctx); diff --git a/src/sbus/sbus_client.c b/src/sbus/sbus_client.c index df5c071..1c5c1b2 100644 --- a/src/sbus/sbus_client.c +++ b/src/sbus/sbus_client.c @@ -33,12 +33,25 @@ int sbus_client_init(TALLOC_CTX *mem_ctx, { struct sbus_connection *conn = NULL; int ret; +char *filename; /* Validate input */ if (server_address == NULL) { return EINVAL; } +filename = strchr(server_address, '/'); +if (filename == NULL) { +DEBUG(1, (Unexpected dbus address [%s].\n, server_address)); +return EIO; +} + +ret = check_file(filename, 0, 0, 0600, CHECK_SOCK, NULL); +if (ret != EOK) { +DEBUG(1, (check_file failed for [%s].\n, filename)); +return EIO; +} + ret = sbus_new_connection(mem_ctx, ev, server_address, intf, conn); if (ret != EOK) { goto fail; diff --git a/src/sbus/sssd_dbus_server.c b/src/sbus/sssd_dbus_server.c index a859cba..98c308e 100644 --- a/src/sbus/sssd_dbus_server.c +++ b/src/sbus/sssd_dbus_server.c @@ -19,6 +19,9 @@ along with this program. If not, see http://www.gnu.org/licenses/. */ #include sys/time.h +#include sys/types.h +#include sys/stat.h + #include tevent.h #include util/util.h #include dbus/dbus.h @@ -95,6 +98,9 @@ int sbus_new_server(TALLOC_CTX *mem_ctx, DBusError dbus_error; dbus_bool_t dbret; char *tmp; +int ret; +char *filename; +struct stat stat_buf; *_server = NULL; @@ -108,6 +114,27 @@ int sbus_new_server(TALLOC_CTX *mem_ctx, return EIO; } +filename = strchr(address, '/'); +if (filename == NULL) { +DEBUG(1, (Unexpected dbus address [%s].\n, address)); +return EIO; +} + +ret = check_file(filename, 0, 0, -1, CHECK_SOCK, stat_buf); +if (ret != EOK) { +DEBUG(1, (check_file failed for [%s].\n, filename)); +return EIO; +} + +if ((stat_buf.st_mode ~S_IFMT) != 0600) { +ret = chmod(filename, 0600); +if (ret != EOK) { +DEBUG(1, (chmod failed for [%s]: [%d][%s].\n, filename, errno, + strerror(errno))); +return EIO; +} +} + tmp = dbus_server_get_address(dbus_server); DEBUG(3, (D-BUS Server listening on %s\n, tmp)); free(tmp); diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c index b0d638b..32cf09f
[SSSD] [PATCH] Handle expired passwords like other PAM modules
Hi, this patch changes the way we handle expired passwords to meet the PAM standards. bye, Sumit From bb731b875dbb78980c7e2a9d0a97cac54fc5faa2 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 22 Feb 2010 09:10:32 +0100 Subject: [PATCH] Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one. --- src/providers/krb5/krb5_child.c |2 +- src/providers/ldap/ldap_auth.c |2 +- src/sss_client/pam_sss.c| 49 -- src/sss_client/sss_cli.h| 21 - 4 files changed, 53 insertions(+), 21 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index d1cc53f..08df598 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -688,7 +688,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) pam_status = PAM_AUTHINFO_UNAVAIL; break; case KRB5KDC_ERR_KEY_EXP: -pam_status = PAM_AUTHTOK_EXPIRED; +pam_status = PAM_NEW_AUTHTOK_REQD; break; case KRB5KDC_ERR_PREAUTH_FAILED: pam_status = PAM_CRED_ERR; diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index cfe8adb..ba1136b 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -983,7 +983,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) state-pd-pam_status = PAM_ACCT_EXPIRED; break; case SDAP_AUTH_PW_EXPIRED: -state-pd-pam_status = PAM_AUTHTOK_EXPIRED; +state-pd-pam_status = PAM_NEW_AUTHTOK_REQD; break; default: state-pd-pam_status = PAM_SYSTEM_ERR; diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index a13563d..010ca4e 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -46,6 +46,8 @@ #define FLAGS_FORWARD_PASS (1 1) #define FLAGS_USE_AUTHTOK(1 2) +#define PWEXP_FLAG pam_sss:password_expired_flag + struct pam_items { const char* pam_service; const char* pam_user; @@ -101,6 +103,11 @@ static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) { va_end(ap); } +static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) +{ +free(ptr); +ptr = NULL; +} static size_t add_authtok_item(enum pam_item_type type, enum sss_authtok_type authtok_type, @@ -847,13 +854,13 @@ done: return pam_status; } -static int prompt_password(pam_handle_t *pamh, struct pam_items *pi) +static int prompt_password(pam_handle_t *pamh, struct pam_items *pi, + const char *prompt) { int ret; char *answer = NULL; -ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, _(Password: ), - NULL, answer); +ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, answer); if (ret != PAM_SUCCESS) { D((do_pam_conversation failed.)); return ret; @@ -943,7 +950,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, } pi-pam_authtok_size = strlen(pi-pam_authtok); } else { -ret = prompt_password(pamh, pi); +ret = prompt_password(pamh, pi, _(Password: )); if (ret != PAM_SUCCESS) { D((failed to get password from user)); return ret; @@ -973,7 +980,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, * pam_sss work e.g. with pam_cracklib */ if (pam_flags PAM_PRELIM_CHECK) { if (getuid() != 0 !(flags FLAGS_USE_FIRST_PASS)) { -ret = prompt_password(pamh, pi); +ret = prompt_password(pamh, pi, _(Current Password: )); if (ret != PAM_SUCCESS) { D((failed to get password from user)); return ret; @@ -1040,6 +1047,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, int ret; struct pam_items pi; uint32_t flags = 0; +int *exp_data; bindtextdomain(PACKAGE, LOCALEDIR); @@ -1053,7 +1061,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, return ret; } - switch(task) { case SSS_PAM_AUTHENTICATE: ret = get_authtok_for_authentication(pamh, pi, flags); @@ -1086,24 +1093,30 @@ static int pam_sss(enum
[SSSD] [PATCH] Add expandable sequences to krb5_ccachedir
Hi, this patch should fix #406. bye, Sumit From ac0a2de24a0400dc08acf375184d20673872415c Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Feb 2010 09:43:51 +0100 Subject: [PATCH] Add expandable sequences to krb5_ccachedir As with krb5_ccname_template sequences like %u can be used in the krb5_ccachedir parameter which are expanded at runtime. If the directory does not exist, it will be created. Depending on the used sequences it is created as a public or private directory. --- src/man/sssd-krb5.5.xml |8 +- src/providers/krb5/krb5_auth.c | 13 ++- src/providers/krb5/krb5_common.c | 13 -- src/providers/krb5/krb5_utils.c | 134 ++- src/providers/krb5/krb5_utils.h |7 +- src/tests/krb5_utils-tests.c | 350 -- 6 files changed, 409 insertions(+), 116 deletions(-) diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index 32b6c29..921d17c 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -102,7 +102,13 @@ termkrb5_ccachedir (string)/term listitem para -Directory to store credential caches. +Directory to store credential caches. All the +substitution sequences of krb5_ccname_template can +be used here, too, expect %d. If the directory does +not exist it will be created. If %u, %U, %p or %h +are used a private directory belonging to the user +is created. Otherwise a public directory with +restricted deletion flag is created. /para para Default: /tmp diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 0e5230c..3419838 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -915,12 +915,21 @@ static void krb5_resolve_done(struct tevent_req *req) } kr-ccname = expand_ccname_template(kr, kr, dp_opt_get_cstring(kr-krb5_ctx-opts, - KRB5_CCNAME_TMPL) -); + KRB5_CCNAME_TMPL), +true); if (kr-ccname == NULL) { DEBUG(1, (expand_ccname_template failed.\n)); goto done; } + +ret = create_ccache_dir(kr, kr-ccname, +dp_opt_get_cstring(kr-krb5_ctx-opts, + KRB5_CCACHEDIR), +kr-uid, kr-gid); +if (ret != EOK) { +DEBUG(1, (create_ccache_dir failed.\n)); +goto done; +} } if (be_is_offline(be_req-be_ctx)) { diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 86676f4..7619e6a 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -47,7 +47,6 @@ errno_t check_and_export_options(struct dp_option *opts, char *value; const char *realm; const char *dummy; -struct stat stat_buf; char **list; realm = dp_opt_get_cstring(opts, KRB5_REALM); @@ -83,18 +82,6 @@ errno_t check_and_export_options(struct dp_option *opts, talloc_free(list); } -dummy = dp_opt_get_cstring(opts, KRB5_CCACHEDIR); -ret = lstat(dummy, stat_buf); -if (ret != EOK) { -DEBUG(1, (lstat for [%s] failed: [%d][%s].\n, dummy, errno, - strerror(errno))); -return ret; -} -if ( !S_ISDIR(stat_buf.st_mode) ) { -DEBUG(1, (Value of krb5ccache_dir [%s] is not a directory.\n, dummy)); -return EINVAL; -} - dummy = dp_opt_get_cstring(opts, KRB5_CCNAME_TMPL); if (dummy == NULL) { DEBUG(1, (Missing credential cache name template.\n)); diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index a75ad78..6a893f6 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -29,13 +29,14 @@ #include util/util.h char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, - const char *template) + const char *template, bool expand_ccache_dir) { char *copy; char *p; char *n; char *result = NULL; const char *dummy; +const char *cache_dir_tmpl; if (template == NULL) { DEBUG(1, (Missing template.\n)); @@ -110,12 +111,26 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, result
Re: [SSSD] [PATCH] Add simple access provider
On Thu, Feb 25, 2010 at 01:27:34PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2010 12:31 PM, Sumit Bose wrote: Hi, this is the second try to fix #392. This patch adds a new provider called simple wuth na access target which can allow/deny access based on a list of user names. Nack. You didn't update the SSSDConfigTest.py. It's failing. The manpages are very hard to follow. Might I suggest that they read: NAME sssd-simple - the configuration file for SSSD's 'simple' access-control provider DESCRIPTION This manual page describes the configuration of the simple access-control provider for sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT” section of the sssd.conf(5) manual page. The simple access provider grants or denies access based on an access or deny list of user names. Here the following rules apply: · If both lists are empty, access is granted · If simple_allow_users is set, only users from this list are allowed access. This setting supersedes the simple_deny_users list (which would be redundant. · If the simple_allow_users list is empty, users are allowed access unless they appear in the simple_deny_users list CONFIGURATION OPTIONS Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page for details on the configuration of an SSSD domain. simple_allow_users (string) Comma separated list of users who are allowed to log in. simple_deny_users (string) Comma separated list of users who are rejected if simple_allow_users is not set. EXAMPLE The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This examples shows only the simple access provider-specific options. [domain/example.com] access_provider = simple simple_allow_users = user1, user2 SEE ALSO sssd.conf(5), sssd(8) AUTHORS The SSSD upstream - http://fedorahosted.org/sssd - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuGwRYACgkQeiVVYja6o6NDHQCeOpet+8kppGGyxVUkhCm+Za4I J74AoJN6Koz74cdXKsNEz6qE0kQhy9D8 =7923 -END PGP SIGNATURE- new version attached. bye, Sumit From 62d4ff8d778abf9822e806adcd9f62a64eb5813d Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 25 Feb 2010 17:30:47 +0100 Subject: [PATCH] Add simple access provider --- contrib/sssd.spec.in |2 + src/Makefile.am| 32 +- src/config/SSSDConfig.py |4 + src/config/SSSDConfigTest.py |1 + src/config/etc/sssd.api.d/sssd-simple.conf |5 + src/man/sssd-simple.5.xml | 122 + src/man/sssd.conf.5.xml|7 ++ src/providers/simple_access.c | 159 src/providers/simple_access.h | 31 ++ src/tests/simple_access-tests.c| 150 ++ 10 files changed, 509 insertions(+), 4 deletions(-) create mode 100644 src/config/etc/sssd.api.d/sssd-simple.conf create mode 100644 src/man/sssd-simple.5.xml create mode 100644 src/providers/simple_access.c create mode 100644 src/providers/simple_access.h create mode 100644 src/tests/simple_access-tests.c diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index db1c0bc..65e8868 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -241,6 +241,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ +$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la @@ -288,6 +289,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-simple.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_groupadd.8* %{_mandir}/man8/sss_groupdel.8* diff --git a/src/Makefile.am b/src/Makefile.am index fa62702..241daad 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -75,7 +75,8 @@ if HAVE_CHECK fail_over-tests \ find_uid-tests \ auth-tests \ -ipa_ldap_opt-tests +ipa_ldap_opt-tests \ +simple_access-tests endif check_PROGRAMS = \ @@ -90,7 +91,8 @@ sssdlib_LTLIBRARIES = \ libsss_ldap.la \ libsss_krb5.la \ libsss_proxy.la
Re: [SSSD] [PATCH] Add expandable sequences to krb5_ccachedir
On Wed, Feb 24, 2010 at 09:56:47AM -0500, Simo Sorce wrote: On Wed, 24 Feb 2010 12:05:18 +0100 Sumit Bose sb...@redhat.com wrote: +old_umask = umask(); +ret = mkdir(dirname, 01777); +umask(old_umask); +if (ret != EOK) { +DEBUG(1, (mkdir [%s] failed: [%d][%s].\n, dirname, errno, + strerror(errno))); +return errno; +} + NACK. We do not want to give every user on the system freedom to write what they want in these directories. All parents need to be root.root 0755 If the admins wants it differently they will have to pre-create the parent directories themselves. Simo. New version attached. Additionally to the issues mentions above the templates are only parsed once and the expanded path is checked for suspicious patterns like '/../'. If a private directory is created it is chown'd immediately after its creation. There are two questions where I do not know a good answer: - The parent directories are always created with 0755 permissions and the owner is root. Should we handle the case where the first existing directory does not belong to root, e.g. if we have /home/u1/a/b/c/ccache_dir/ccfile and a, b and c have to be created? - The sequence '%P' is expanded to the client's PID. I think the PID does not qualify to be unique for a user and consequently a ccache directory with only this sequence and no other user specific sequences like '%u' is created as public directory. Do you agree? bye, Sumit From 8eab929b3fe38b33f31d22bce87f1a7b96db21c8 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Feb 2010 09:43:51 +0100 Subject: [PATCH] Add expandable sequences to krb5_ccachedir As with krb5_ccname_template sequences like %u can be used in the krb5_ccachedir parameter which are expanded at runtime. If the directory does not exist, it will be created. Depending on the used sequences it is created as a public or private directory. --- src/man/sssd-krb5.5.xml | 12 +- src/providers/krb5/krb5_auth.c | 19 ++- src/providers/krb5/krb5_auth.h |6 + src/providers/krb5/krb5_common.c | 13 -- src/providers/krb5/krb5_init.c | 12 ++ src/providers/krb5/krb5_utils.c | 144 +- src/providers/krb5/krb5_utils.h |8 +- src/tests/krb5_utils-tests.c | 407 +- 8 files changed, 505 insertions(+), 116 deletions(-) diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index 32b6c29..5a1d626 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -102,7 +102,17 @@ termkrb5_ccachedir (string)/term listitem para -Directory to store credential caches. +Directory to store credential caches. All the +substitution sequences of krb5_ccname_template can +be used here, too, except %d. If the directory does +not exist it will be created. If %u, %U, %p or %h +are used a private directory belonging to the user +is created. Otherwise a public directory with +restricted deletion flag (aka sticky bit, see +citerefentry +refentrytitlechmod/refentrytitle +manvolnum1/manvolnum +/citerefentry for details) is created. /para para Default: /tmp diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 0e5230c..fde3b93 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -880,6 +880,7 @@ static void krb5_resolve_done(struct tevent_req *req) struct be_req *be_req = kr-req; char *msg; size_t offset = 0; +bool private_path = false; ret = be_resolve_server_recv(req, kr-srv); talloc_zfree(req); @@ -915,12 +916,26 @@ static void krb5_resolve_done(struct tevent_req *req) } kr-ccname = expand_ccname_template(kr, kr, dp_opt_get_cstring(kr-krb5_ctx-opts, - KRB5_CCNAME_TMPL) -); + KRB5_CCNAME_TMPL), +true, private_path); if (kr-ccname == NULL) { DEBUG(1, (expand_ccname_template failed.\n)); goto done; } + +if (private_path) { +ret = create_ccache_dir(kr, kr-ccname, +kr-krb5_ctx-illegal_path_re, +kr-uid, kr-gid, 0700
Re: [SSSD] [PATCH] Add simple access provider
On Thu, Feb 25, 2010 at 08:50:43PM +0100, Sumit Bose wrote: On Thu, Feb 25, 2010 at 01:27:34PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2010 12:31 PM, Sumit Bose wrote: Hi, this is the second try to fix #392. This patch adds a new provider called simple wuth na access target which can allow/deny access based on a list of user names. Nack. You didn't update the SSSDConfigTest.py. It's failing. The manpages are very hard to follow. Might I suggest that they read: NAME sssd-simple - the configuration file for SSSD's 'simple' access-control provider DESCRIPTION This manual page describes the configuration of the simple access-control provider for sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT” section of the sssd.conf(5) manual page. The simple access provider grants or denies access based on an access or deny list of user names. Here the following rules apply: · If both lists are empty, access is granted · If simple_allow_users is set, only users from this list are allowed access. This setting supersedes the simple_deny_users list (which would be redundant. · If the simple_allow_users list is empty, users are allowed access unless they appear in the simple_deny_users list CONFIGURATION OPTIONS Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page for details on the configuration of an SSSD domain. simple_allow_users (string) Comma separated list of users who are allowed to log in. simple_deny_users (string) Comma separated list of users who are rejected if simple_allow_users is not set. EXAMPLE The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This examples shows only the simple access provider-specific options. [domain/example.com] access_provider = simple simple_allow_users = user1, user2 SEE ALSO sssd.conf(5), sssd(8) AUTHORS The SSSD upstream - http://fedorahosted.org/sssd - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuGwRYACgkQeiVVYja6o6NDHQCeOpet+8kppGGyxVUkhCm+Za4I J74AoJN6Koz74cdXKsNEz6qE0kQhy9D8 =7923 -END PGP SIGNATURE- new version attached. Hi, I forgot to include a hunk in the Makefile.am patch. New version attached. bye, Sumit From 5acfc403e19e92b910c1d2e0fafb301dd44d1982 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 25 Feb 2010 17:30:47 +0100 Subject: [PATCH] Add simple access provider --- contrib/sssd.spec.in |2 + src/Makefile.am| 35 +- src/config/SSSDConfig.py |4 + src/config/SSSDConfigTest.py |1 + src/config/etc/sssd.api.d/sssd-simple.conf |5 + src/man/sssd-simple.5.xml | 122 + src/man/sssd.conf.5.xml|7 ++ src/providers/simple_access.c | 159 src/providers/simple_access.h | 31 ++ src/tests/simple_access-tests.c| 150 ++ 10 files changed, 511 insertions(+), 5 deletions(-) create mode 100644 src/config/etc/sssd.api.d/sssd-simple.conf create mode 100644 src/man/sssd-simple.5.xml create mode 100644 src/providers/simple_access.c create mode 100644 src/providers/simple_access.h create mode 100644 src/tests/simple_access-tests.c diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index db1c0bc..65e8868 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -241,6 +241,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ +$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la @@ -288,6 +289,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-simple.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_groupadd.8* %{_mandir}/man8/sss_groupdel.8* diff --git a/src/Makefile.am b/src/Makefile.am index fa62702..a3e63eb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -75,7 +75,8 @@ if HAVE_CHECK fail_over-tests \ find_uid-tests \ auth-tests
Re: [SSSD] [PATCH] Run 'make check' during rpmbuild
On Fri, Feb 26, 2010 at 12:25:38PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Regression test failures should be considered build breakages. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuIBBIACgkQeiVVYja6o6NOogCfePSlj+FwTH78szUqTLeUe158 RCIAnjkKySS0olme77tJKokrmo2xaAe/ =jQcV -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Define _GNU_SOURCE in pam_sss.c.
On Fri, Feb 26, 2010 at 12:07:29PM -0600, George McCollister wrote: Hi, The latest version of sssd failed to compile for me until I applied this patch. Regards, George McCollister ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] fix mismatched _recv function in proxy.c
On Sat, Feb 27, 2010 at 04:31:43PM -0500, Simo Sorce wrote: While looking at the code I found this mismatch. The error is mostly cosmetic, but it's an error nonetheless. Simo. -- Simo Sorce * Red Hat, Inc * New York ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add --with-test-dir option to configure
On Mon, Mar 01, 2010 at 11:17:13AM +0100, Sumit Bose wrote: On Fri, Feb 26, 2010 at 12:23:51PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/26/2010 11:15 AM, Stephen Gallagher wrote: All 'make check' tests will chdir() into this directory before running the suite. This provides the option of having temporary files generated in a tmpfs or ramdisk e.g. ./configure --with-test-dir=/dev/shm This is especially useful when your normal build directory is on a slow and/or encrypted filesystem. New version. This one uses tests_set_cwd() instead of copying the chdir() code into every test. It also updates the makefile so that we only have to build tests/common.c once. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuIA6cACgkQeiVVYja6o6PJZgCfTLAT+mfSTce1uicScqbQ0MIr pWkAnjWSPEGG/raWFQ94DtKVTo1m498g =n0u/ -END PGP SIGNATURE- ACK. bye, Sumit ahh, sorry, NACK, there is another #ifdef SYSDB_TEST where ABS_BUILD_DIR needs to be used. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Add --with-test-dir option to configure
On Tue, Mar 02, 2010 at 07:24:27AM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/02/2010 07:20 AM, Sumit Bose wrote: ahh, sorry, NACK, there is another #ifdef SYSDB_TEST where ABS_BUILD_DIR needs to be used. You're right. New patch attached. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuNA3sACgkQeiVVYja6o6NHBwCgiU1JTW3p5axRIgFwpAAtwzpI d84AoIAp6YV1TMSs92lC39XR0VQI1ryU =TlWL -END PGP SIGNATURE- ACK bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel