Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 10 Jul 2013, Simo Sorce wrote: On Wed, 2013-07-10 at 19:15 +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p locat $2 = 0x7f2e8006500d @ad.example.com Replaced by strcasestr. Also, this is good enough for the beta
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 2013-07-10 at 19:15 +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p locat $2 = 0x7f2e8006500d @ad.example.com Replaced by strcasestr. Also, this is good enough for the beta or when the default values are used, but in theory, the admin could configure the fully qualified name format to not include the @-sign (see full_name_format in sssd.conf) at all. It's not very likely, but I think we should account for that case eventually. I'm not exactly sure how yet as the
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p locat $2 = 0x7f2e8006500d @ad.example.com Replaced by strcasestr. Also, this is good enough for the beta or when the default values are used, but in theory, the admin could configure the
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. Separated. Ack to this patch. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { +locat[0] = 0; +} +} res-data.name.object_name = strdup(pg_data-data.pwd.pw_name); break; case SSS_ID_TYPE_GID: +if ((locat = strchr(pg_data-data.grp.gr_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL) { +locat[0] = 0; +} +} res-data.name.object_name = strdup(pg_data-data.grp.gr_name); break; @@ -393,6 +405,11 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, case SSS_ID_TYPE_BOTH: res-response_type = RESP_USER; res-data.user.domain_name = strdup(domain_name); +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL) { +locat[0] = 0; +
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Jakub Hrozek wrote: On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Wed, 03 Jul 2013, Sumit Bose wrote: Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. s/msbd/smbd/ ACK. I need to add 'ipa_server_mode = True' support to the installer code and then these patches can go in. Actually, the code still doesn't work due to some bug in sssd which fails to respond properly to getsidbyname() request in libsss_nss_idmap. Additionally I've found one missing treatment of domain_name for INP_NAME requests. We are working with Jakub on tracking down what's wrong on SSSD side. Indeed, there was a casing issue in sysdb. You can continue testing with lowercase user names in the meantime. A patch is already on the SSSD list. In addition, we need to disqualify user name when returning back a packet from extdom operation as this is what SSSD expects. Attached patch does it for all types of requests. -- / Alexander Bokovoy From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 8 Jul 2013 19:19:56 +0300 Subject: [PATCH] Fix extdom plugin to provide unqualified name in response as sssd expects extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name. --- .../ipa-extdom-extop/ipa_extdom_common.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 8aa22e1..290da4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, grp_result); } } +domain_name = strdup(req-data.name.domain_name); I would prefer if this was a separate patch. But this is a correct change. break; default: ret = LDAP_PROTOCOL_ERROR; @@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, const char *domain_name, struct extdom_res **_res) { int ret = EFAULT; +char *locat = NULL; struct extdom_res *res; res = calloc(1, sizeof(struct extdom_res)); @@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: +if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { +if (strstr(locat, domain_name) != NULL ) { strstr doesn't work correctly in my case. In SSSD, the domain names are case-insensitive, so you can use strcasestr here. In my case, the condition is never hit as the domain case differs: 407 res-data.user.domain_name = strdup(domain_name); (gdb) 408 if ((locat = strchr(pg_data-data.pwd.pw_name, '@')) != NULL) { (gdb) n 409 if (strstr(locat, domain_name) != NULL) { (gdb) 414 strdup(pg_data-data.pwd.pw_name); (gdb) p domain_name $1 = 0x7f2e800f0690 AD.EXAMPLE.COM (gdb) p locat $2 = 0x7f2e8006500d @ad.example.com Also, this is good enough for the beta or when the default values are used, but in theory, the admin could configure the fully qualified name format to not include the @-sign (see full_name_format in sssd.conf) at all. It's not very likely, but I think we should account for that case eventually. I'm not exactly sure how yet as
[Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
Hi, with this patch the extdom plugin, the LDAP extended operation that allows IPA clients with recent SSSD to lookup AD users and groups, will not use winbind for the lookup anymore but will use SSSD running in ipa_server_mode. Since now no plugin uses the winbind client libraries anymore, the second patch removes the related configures checks. I think for the time being we cannot remove winbind completely because it might be needed for msbd to work properly in a trusted environment. bye, Sumit From 14c5947a73a7c61de2b71b338ce1c7c1f6771f13 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 3 Jul 2013 14:27:14 +0200 Subject: [PATCH 117/118] extdom: replace winbind calls with POSIX/SSSD calls With the new ipa_server_mode SSSD is able to read user and group data from trusted AD domains directly and makes this data available via the NSS responder. With this mode enabled winbind is not needed anymore to lookup users and groups of trusted domains. This patch removed the calls to winbind from the extdom plugin and replaces them with standard POSIX calls like getpwnam() and calls from libsss_nss_idmap to lookup SIDs. Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the extdom plugin does not need to handle idranges anymore, but everything is done inside SSSD. --- daemons/configure.ac | 1 + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 6 +- .../ipa-extdom-extop/ipa_extdom.h | 34 +- .../ipa-extdom-extop/ipa_extdom_common.c | 505 + .../ipa-extdom-extop/ipa_extdom_extop.c| 4 +- .../ipa-extdom-extop/ipa_extdom_tests.c| 12 +- 6 files changed, 261 insertions(+), 301 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 21d4e7a77c98e3dc7c630724b1124f1c213d0e6f..62722d554a685e6a13642fb7171a62f7a4e38fda 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -240,6 +240,7 @@ dnl -- dirsrv is needed for the extdom unit tests -- PKG_CHECK_MODULES([DIRSRV], [dirsrv = 1.3.0]) dnl -- sss_idmap is needed by the extdom exop -- PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) +PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) dnl --- dnl - Check for systemd unit directory diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am index 67b556a4ac6e2ca8ef72901c0d9bcaef428aeca0..df0c30562f09bf0e29464c9bb05f7befbd3997e1 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -15,9 +15,9 @@ AM_CPPFLAGS = \ -DDATADIR=\$(datadir)\ \ $(AM_CFLAGS)\ $(LDAP_CFLAGS) \ - $(WBCLIENT_CFLAGS) \ $(WARN_CFLAGS) \ $(SSSIDMAP_CFLAGS) \ + $(SSSNSSIDMAP_CFLAGS) \ $(NULL) plugindir = $(libdir)/dirsrv/plugins @@ -34,8 +34,8 @@ libipa_extdom_extop_la_LDFLAGS = -avoid-version libipa_extdom_extop_la_LIBADD =\ $(LDAP_LIBS)\ - $(WBCLIENT_LIBS)\ $(SSSIDMAP_LIBS)\ + $(SSSNSSIDMAP_LIBS) \ $(NULL) if HAVE_CHECK @@ -54,9 +54,9 @@ extdom_tests_LDFLAGS =\ extdom_tests_LDADD = \ $(CHECK_LIBS) \ $(LDAP_LIBS)\ - $(WBCLIENT_LIBS)\ $(DIRSRV_LIBS) \ $(SSSIDMAP_LIBS)\ + $(SSSNSSIDMAP_LIBS) \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5c2eeddceb3983fa5793c1a7fa86c5001c47beba..5f834a047a579104cd2589ce417c580c1c5388d3 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -53,14 +53,15 @@ #include stdbool.h #include stdlib.h #include stdint.h - -#include samba-4.0/wbclient.h +#include pwd.h +#include grp.h #include dirsrv/slapi-plugin.h #include lber.h #include time.h #include sss_idmap.h +#include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 @@ -114,18 +115,18 @@ struct extdom_res { union { char *sid; struct { -const char *domain_name; -const char *object_name; +char *domain_name; +char *object_name; } name; struct { -const char *domain_name; -const char *user_name; +char *domain_name; +char