[SSSD] Design document - SSSD KCM server
Hi, I was working on a KCM server for SSSD for some time already in parallel with the files provider and had some discussions with Simo as well. Of course my intent wasn't to implement a feature secretly without a design review, but to have a prototype to base a proper design on :) However it makes sense to have a peer-reviewed design page now, also because of Fedora's move towards Kerberos and KDC proxy, which leads to questions on the Fedora lists about ccache renewals and so on -- so I think it makes sense to pitch the design to Fedora at least already.. Here is the design page: https://fedorahosted.org/sssd/wiki/DesignDocs/KCM and here is the code of the KCM responder so far: https://github.com/jhrozek/sssd/tree/kcm Time-wise, I would like to pivot to return to working on KCM now that the files provider is more or less done and tested. For your convenience, the design page text is included below as well. = KCM server for SSSD = Related ticket(s): * https://fedorahosted.org/sssd/ticket/2887 External links: * [http://k5wiki.kerberos.org/wiki/Projects/KCM_client MIT wiki KCM documentation] === Problem statement === This design page describes adding a new SSSD responder, called `sssd_kcm`. This component would manage Kerberos credential caches and store them in SSSD's secrets storage. === Use cases === * A sysadmin needs to deploy applications in containers without worrying about applications clobbering each other's credential caches in a kernel keyring as keyrings are not namespaced * A user wants to keep having her Kerberos ticket automatically renewed regardless of the ticket being acquired through a PAM conversation with SSSD or from the command line with kinit * A system admin wants to leverage a collection-aware credentials cache for most of applications on their systems, yet enable a legacy application that can only work with a FILE-based ccache to interoperate with them === Overview of the solution === Over time, both libkrb5 and SSSD used different credential cache types to store Kerberos credentials - going from a simple file-based storage (`FILE:`) to a directory (`DIR:`) and most recently a kernel-keyring based cache (`KEYRING:`). Each of these caches has its own set of advantages and disadvantages. The `FILE` ccache is very widely supported, but does not support multiple primary caches. The `DIR` cache does, but creating and managing the directories including proper access control can be tricky. The `KEYRING` cache is not well suited for cases where multiple semi-isolated environments might share the same kernel. Managing credential caches' lifetime is not well solved in neither of these cache types automatically, only with the help of a daemon like SSSD. An interesting credentials cache that might solve the issues mentioned above is `KCM`. With KCM, the Kerberos caches are not stored in a "passive" store, but managed by a daemon. In this setup, the Kerberos library (typically used through an application, like for example, `kinit`) is a "KCM client" and the daemon is being referred to as a "KCM server". Having the Kerberos credential caches managed by a deamon has several advantages: * the daemon is stateful and can perform tasks like Kerberos credential cache renewals or reaping old ccaches. Some tasks, like renewals are possible already with SSSD, but only for tickets that SSSD itself acquired (typically via a login through `pam_sss.so`) and tracks. Tickets acquired otherwise, most notably though kinit wouldn't be tracked and renewed. * since the process runs in userspace, it is subject to UID namespacing, [http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/ unlike the kernel keyring] * unlike the kernel keyring-based cache, which is entirely dependant on UIDs of the caller and in a containerized environment is shared between all containers, the KCM server's entry point is a UNIX socket which can be bind-mounted to only some containers * the protocol between the client and the server can be extended for custom operations such as dumping a cache in a different format to a specific location. This would be beneficial for applications that only understand a certain Kerberos ccache type - for example, some legacy applications only know how to deal with a FILE-based cache, thus preventing the use of cache collections Only the Heimdal Kerberos implementation currently implements a KCM server, but both Heimdal and MIT implement the client-side operations (in libkrb5) to manage KCM-based Kerberos ccaches. This design page describes adding a KCM server to SSSD. While it's of course possible to create a completely standalone deamon that would implement a KCM server, doing so in the context of SSSD has several advantages, notably: * An easy access to the authentication provider of SSSD that already has existing and tested code to renew Kerberos credentials on user's behalf * SSSD alre
[SSSD] [sssd PR#84][opened] Socket-activation of SSSD responders
URL: https://github.com/SSSD/sssd/pull/84 Author: fidencio Title: #84: Socket-activation of SSSD responders Action: opened PR body: """ This series fixes [#2243](https://fedorahosted.org/sssd/ticket/2243) and [#3129](https://fedorahosted.org/sssd/ticket/3129), following what was discussed in the [ML](https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/) and summed up at [this](https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders) design document. The approach taken was the less intrusive possible and keeps the backward compatibility. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/84/head:pr84 git checkout pr84 From 3d421db241aa3188d16f938ac579811323c27fea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 16 Nov 2016 17:21:54 +0100 Subject: [PATCH 01/14] MONITOR: Expose the monitor's services type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's expose the monitor's service type so it can be passed by the services to the RegisterService method. It will be needed in the future, for socket-activation of the responders, as we will need to differentiate the cases where the service being registered is still not in the list of the services but is still a valid case because it was just socket-activated. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano FidĂȘncio --- src/monitor/monitor.c| 5 - src/monitor/monitor_interfaces.h | 5 + 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 935febb..23b0f79 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -91,11 +91,6 @@ int cmdline_debug_microseconds; struct svc_spy; -enum mt_svc_type { -MT_SVC_SERVICE, -MT_SVC_PROVIDER -}; - struct mt_svc { struct mt_svc *prev; struct mt_svc *next; diff --git a/src/monitor/monitor_interfaces.h b/src/monitor/monitor_interfaces.h index 8a9e4fe..9004801 100644 --- a/src/monitor/monitor_interfaces.h +++ b/src/monitor/monitor_interfaces.h @@ -35,6 +35,11 @@ #define SSSD_SERVICE_PIPE "private/sbus-monitor" +enum mt_svc_type { +MT_SVC_SERVICE, +MT_SVC_PROVIDER +}; + int monitor_get_sbus_address(TALLOC_CTX *mem_ctx, char **address); int monitor_common_send_id(struct sbus_connection *conn, const char *name, uint16_t version); From 150509f07893f3563b630d39daa5c3073f080900 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 16 Nov 2016 17:32:10 +0100 Subject: [PATCH 02/14] MONITOR: Pass the service type to the RegisterService method MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing the service type to the RegisterService method will help us in the future, for socket-activation, as we will need to differentiate cases where the service being registered is still not in the services' list but is a valid case and has to be added there as it was socket-activated. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano FidĂȘncio --- src/monitor/monitor.c | 2 ++ src/monitor/monitor_interfaces.h| 3 ++- src/monitor/monitor_sbus.c | 6 -- src/providers/data_provider_be.c| 2 +- src/responder/common/responder_common.c | 4 ++-- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 23b0f79..969b854 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -227,6 +227,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) struct mt_svc *svc; DBusError dbus_error; dbus_uint16_t svc_ver; +dbus_uint16_t svc_type; char *svc_name; dbus_bool_t dbret; int ret; @@ -245,6 +246,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data) dbret = dbus_message_get_args(dbus_req->message, &dbus_error, DBUS_TYPE_STRING, &svc_name, DBUS_TYPE_UINT16, &svc_ver, + DBUS_TYPE_UINT16, &svc_type, DBUS_TYPE_INVALID); if (!dbret) { DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/monitor/monitor_interfaces.h b/src/monitor/monitor_interfaces.h index 9004801..986bac5 100644 --- a/src/monitor/monitor_interfaces.h +++ b/src/monitor/monitor_interfaces.h @@ -42,7 +42,7 @@ enum mt_svc_type { int monitor_get_sbus_address(TALLOC_CTX *mem_ctx, char **address); int monitor_common_send_id(struct sbus_connection *conn, - const char *name, uint16_t version); + const char *name, uint16_t version, uint16_t type); int monitor_common_res_init(struct sbus_request *dbus_req, void
[SSSD] Re: [PATCH] Create pidfile after responders have started
Hi, I was out last week, sorry for the delay! The patch looks good to me, I'll try to test it too as soon as I find some time. Thanks, Victor ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Design document - SSSD's files provider
Hi, I realized I never sent a design document about the files provider to the sssd-devel list - I'm sorry about that. Nonetheless, I discussed the design with Stephen quite some time ago, so hopefully it's not completely wrong. In general, the plan to "manage the users from files" will have several steps: - sssd will gain id_provider=files. This is done, including tests, there is just a couple of issues to solve -- for example, we need to let the responders know that the entries in the 'files' domain are always up-to-date and the responder should not even be contacted. I pushed the code to: https://github.com/jhrozek/sssd/tree/files - SSSD will always load the files domain, either by letting the distribution drop a configuration snippet and making sure the files provider is always first or just by hardcoding the domain. This is not done and I would like to coordinate with Fabiano's efforts to simplify the sssd config here - the InfoPipe interface will gain writeable interface to either manage the users and groups or set extended attributes Related to this work is Fabiano's effort to make the responders socket-activatable. The full design page can be found at: https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider For your convenience, the full text of the design page is also pasted below: = Feature Name = "Files" data provider Related ticket(s): * The umbrella tracking ticket: https://fedorahosted.org/sssd/ticket/2228 which includes the following sub-tasks: * Ship an immutable recovery mode config for local accounts - https://fedorahosted.org/sssd/ticket/2229 * [RFE] Support UID/GID changes - https://fedorahosted.org/sssd/ticket/2244 * Provide a "writable" D-Bus management API for local users - https://fedorahosted.org/sssd/ticket/3242 === Problem statement === SSSD does not behave well with nscd, so we recommend that it be disabled. However, this comes with a price in the form of every nameservice lookup hitting the disk for {{{/etc/passwd}}} and friends every time. SSSD should be able to read and monitor these files and serve them from its cache, allowing {{{sss}}} to sort before {{{files}}} in {{{/etc/nsswitch.conf}}} In addition, SSSD provides some useful interfaces, such as [https://fedorahosted.org/sssd/wiki/DesignDocs/DBusUsersAndGroups the dbus interface] which only work for users and groups SSSD knows about. === Use cases === Use Case: Default Configuration SSSD (and its useful APIs) should always be available. This means that SSSD must ship with a default configuration that works (and requires no manual configuration or joining a domain). This default configuration should provide a fast in-memory cache for all user and group information that SSSD can support, including those traditionally stored in {{{/etc/passwd}}} and friends. Use Case: Programatically managing POSIX attributes of a user or a group Currently the available ways to manage users and groups is either spawn and call shadow-utils binaries like `useradd` or libuser. SSSD already has a D-Bus API used to provide custom attributes of domain users. This interface should be be extended to provide 'writable' methods to manage users and groups from files. This is tracked by [https://fedorahosted.org/sssd/ticket/3242 ticket #3242] Use Case: Manage extended attributes of users and groups Some applications (such as desktop environments) additional attributes (such as keyboard layout) should be stored along with the user. Since the passwd file has only a fixed number of fields, it might make sense to allow additional attributes to be stored in SSSD database and retrieved with sssd's D-Bus interface. Again, this is tracked by [https://fedorahosted.org/sssd/ticket/3242 ticket #3242] === Overview of the solution === SSSD should ship a {{{files}}} provider as part of its required minimal package. Absent any user modifications, SSSD should be configured to start at boot and use this provider to serve local identity information. This provider may or may not be optional. For example, we might decide that it always exists as the first domain in the list, even if not explicitly specified. Alternatively, distributions that wish to always include the files provider will be able (starting with SSSD 1.14 and its [https://fedorahosted.org/sssd/wiki/DesignDocs/ding-libs/INIConfigMerge config merging feature]) to drop a definition of the files provider into `/etc/sssd/conf.d`. In order for this functionality to work, we would have to deprecate the `domains` line and instead load all `[domain/]` sections from all available sources, unless the `domains` line is specified for backwards-compatibility. === Implementation details === Upon SSSD startup, the {{{files}}} provider will always run a complete enumeration pass on the {{{/etc/passwd}}}, {{{/etc/group}}} and other files as appropriate. The prov
[SSSD] Re: [TESTS] test_secrets.py are failing on rawhide
On Mon, Nov 21, 2016 at 03:34:49PM +0100, Lukas Slebodnik wrote: > ehlo, > > FYI: There are failing integration tests on rawhide > > test_secrets.py::test_containers FAILED > > > > traceback > > Traceback (most recent call last): > File "/home/build/sssd/src/tests/intg/test_secrets.py", line 163, in > test_containers > cli.create_container("mycontainer") > File "/home/build/sssd/src/tests/intg/secrets.py", line 136, in > create_container > res = self.post(name) > File "/home/build/sssd/src/tests/intg/secrets.py", line 108, in post > return self._request(self.session.post, name, **kwargs) > File "/home/build/sssd/src/tests/intg/secrets.py", line 88, in _request > self._last_response = cmd(url, **kwargs) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 535, in > post > return self.request('POST', url, data=data, json=json, **kwargs) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 474, in > request > prep = self.prepare_request(req) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, in > prepare_request > hooks=merge_hooks(request.hooks, self.hooks), > File "/usr/lib/python2.7/site-packages/requests/models.py", line 302, in > prepare > self.prepare_url(url, params) > File "/usr/lib/python2.7/site-packages/requests/models.py", line 372, in > prepare_url > raise InvalidURL('URL has an invalid label.') > InvalidURL: URL has an invalid label. > > It is caused by recently upgraded pacakges python2-requests and > python2-urllib3 I haven't tried this new package, but please open a ticket -- we should fix the tests to work with both package versions. Maybe Christian would know how to fix this bug with a minimal effort.. > > == > Package ArchVersion Repository > == > Upgrading: > python2-requests noarch 2.12.1-1.fc26rawhide > python2-urllib3 noarch 1.19.1-1.fc26rawhide > Installing dependencies: > python-backports x86_64 1.0-8.fc25 rawhide > python-backports-ssl_match_hostname noarch 3.5.0.1-3.fc25 rawhide > python-enum34 noarch 1.0.4-6.fc25 rawhide > python-idna noarch 2.1-1.fc26 rawhide > python-ipaddress noarch 1.0.16-3.fc25rawhide > python-pycparser noarch 2.14-7.fc25 rawhide > python2-cffi x86_64 1.8.3-2.fc26 rawhide > python2-cryptography x86_64 1.5.3-3.fc26 rawhide > python2-ply noarch 3.9-1.fc26 rawhide > python2-pyOpenSSL noarch 16.2.0-1.fc26rawhide > > LS > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [TESTS] test_secrets.py are failing on rawhide
ehlo, FYI: There are failing integration tests on rawhide test_secrets.py::test_containers FAILED traceback Traceback (most recent call last): File "/home/build/sssd/src/tests/intg/test_secrets.py", line 163, in test_containers cli.create_container("mycontainer") File "/home/build/sssd/src/tests/intg/secrets.py", line 136, in create_container res = self.post(name) File "/home/build/sssd/src/tests/intg/secrets.py", line 108, in post return self._request(self.session.post, name, **kwargs) File "/home/build/sssd/src/tests/intg/secrets.py", line 88, in _request self._last_response = cmd(url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 535, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 474, in request prep = self.prepare_request(req) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/usr/lib/python2.7/site-packages/requests/models.py", line 302, in prepare self.prepare_url(url, params) File "/usr/lib/python2.7/site-packages/requests/models.py", line 372, in prepare_url raise InvalidURL('URL has an invalid label.') InvalidURL: URL has an invalid label. It is caused by recently upgraded pacakges python2-requests and python2-urllib3 == Package ArchVersion Repository == Upgrading: python2-requests noarch 2.12.1-1.fc26rawhide python2-urllib3 noarch 1.19.1-1.fc26rawhide Installing dependencies: python-backports x86_64 1.0-8.fc25 rawhide python-backports-ssl_match_hostname noarch 3.5.0.1-3.fc25 rawhide python-enum34 noarch 1.0.4-6.fc25 rawhide python-idna noarch 2.1-1.fc26 rawhide python-ipaddress noarch 1.0.16-3.fc25rawhide python-pycparser noarch 2.14-7.fc25 rawhide python2-cffi x86_64 1.8.3-2.fc26 rawhide python2-cryptography x86_64 1.5.3-3.fc26 rawhide python2-ply noarch 3.9-1.fc26 rawhide python2-pyOpenSSL noarch 16.2.0-1.fc26rawhide LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#70][comment] check_duplicate: check name member before using it
URL: https://github.com/SSSD/sssd/pull/70 Title: #70: check_duplicate: check name member before using it celestian commented: """ @lslebodn, Lukas, are you satisfied by Sumit's explanation? """ See the full comment at https://github.com/SSSD/sssd/pull/70#issuecomment-261941593 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ So, I pushed new version. Now ```sysdb_get_sudo_filter()``` uses ```nameAlias``` values. (And after pushing #80 I will cherry-pick it to 1.13 too.) """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-261940320 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][-Changes requested] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 105 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 +++-- 3 files changed, 117 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..39a6558 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); @@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, *_uid = uid; } +if (sysdb_aliases != NULL) { +*_aliases = talloc_steal(mem_ctx, sysdb_aliases); +} + if (groupnames != NULL) { *groupnames = talloc_steal(mem_ctx, sysdb_groupnames); } @@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file spbnick commented: """ Ah, I see. Then you can put your patterns into a variable and check against them in the loop, similarly to the way it's done above in the script. You can use extended globs (with `shopt -s extglob`), or regexes as before. For globs the test will be if `[[ "$file" != $EXCLUDE_GLOB ]]`, and for regexes it will be `! [[ "$file" =~ $EXCLUDE_REGEX ]]`. """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261934231 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file lslebodn commented: """ On (21/11/16 04:59), fidencio wrote: >Okay, then. >As long as my preferences are respected during the review of my patches we're >fine. :-) Sure I am not agains separate patches for test and code especialy for bigger features. I just prefer to have it together for small changes. But separate patches would not be a blocker for me even for small changes as in this patch. LS """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261934892 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file spbnick commented: """ Ah, I see. Then you can put your patterns into a variable and check against them in the loop, similarly to the way it's done above in the script. You can use extended globs (with `shopt -s extglob`), or regexes as before. For globs the test will be if `[[ "$file" != $EXCLUDE_GLOB ]]`, and for regexes it will be `! [[ "$file" ~= $EXCLUDE_REGEX ]]`. """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261934231 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#81][comment] Please see the commit message, the fix is hopefully simple
URL: https://github.com/SSSD/sssd/pull/81 Title: #81: Please see the commit message, the fix is hopefully simple lslebodn commented: """ On (21/11/16 13:53), fidencio wrote: >For future interactions would be way simpler if the reviewer could just push >the patch with the simple fix and point it in the review instead of having it >blocked here for a few days. A) It is not a hight priority or critical fix; so nothing was blocked. B) In this case, the fixup change was simple. But there is still question which changes are approrpiate to be done before push which are not. The author of the patch need't agree with some changes. It would be OK if author wrote please change that before pushing the patch. But it would take the same amount of time as changing code and push it. LS """ See the full comment at https://github.com/SSSD/sssd/pull/81#issuecomment-261933794 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file lslebodn commented: """ On (21/11/16 04:11), Nikolai Kondrashov wrote: >spbnick commented on this pull request. >> @@ -35,3 +35,15 @@ fi > exit found > } > " >+ >+declare found_file=0 >+git ls-files | \ >+grep -v "^src/config/testconfigs/noparse.api.conf" | \ >+grep -v "^src/tests/cmocka/p11_nssdb/.*db" | \ >+while read file; do >+test `tail -c 1 $file` && \ >+echo "no newline at eof: $file" && \ >+found_file=1 >+done >+ >+[ $found_file -eq 1] && exit 1 > >Another trick is to assign `true` or `false` to `found_file`. Then you can >simply write this: > >$found_file && exit 1 will do > "--exclude*" options does not work with "--cached" which is a defualt. Unfortuntately, it works only with --others --ignored. I didn't like that there is "grep -v" twice but single regex would not be very readable and I a not aware of better way how to filter out some lines. Anyway thank you very much for suggestions. LS """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261931169 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file fidencio commented: """ Okay, then. As long as my preferences are respected during the review of my patches we're fine. :-) """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261930622 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file fidencio commented: """ Okay, then. As long as my preferences are respected during the review my patches we're fine. :-) """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261930622 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#82][comment] KRB5: Remove spurious warning in logs
URL: https://github.com/SSSD/sssd/pull/82 Title: #82: KRB5: Remove spurious warning in logs fidencio commented: """ Acked-by: Fabiano FidĂȘncio """ See the full comment at https://github.com/SSSD/sssd/pull/82#issuecomment-261929601 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file lslebodn commented: """ On (21/11/16 04:46), fidencio wrote: >Also, please, split this patch in two parts: "removing new line at the end of >file" and "check new line at the end of file". > I prefer to have unit test together with fix. LS >-- >You are receiving this because you were mentioned. >Reply to this email directly or view it on GitHub: >https://github.com/SSSD/sssd/pull/83#issuecomment-261927606 """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261929527 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#81][comment] Please see the commit message, the fix is hopefully simple
URL: https://github.com/SSSD/sssd/pull/81 Title: #81: Please see the commit message, the fix is hopefully simple fidencio commented: """ So, AFAIU what's is missing is this small patch: ``` [ffidenci@cat x86_64]$ git diff diff --git a/src/external/inotify.m4 b/src/external/inotify.m4 index bcf9408..25259a8 100644 --- a/src/external/inotify.m4 +++ b/src/external/inotify.m4 @@ -7,7 +7,7 @@ AC_DEFUN([AM_CHECK_INOTIFY], AC_LINK_IFELSE( [AC_LANG_SOURCE([ #ifdef HAVE_SYS_INOTIFY_H -#include , +#include #endif int main () { return (-1 == inotify_init()); ``` Feel free to use the gist above as a different patch (I don't care about the ownership). For future interactions would be way simpler if the reviewer could just push the patch with the simple fix and point it in the review instead of having it blocked here for a few days. """ See the full comment at https://github.com/SSSD/sssd/pull/81#issuecomment-261929087 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#81][+Changes requested] Please see the commit message, the fix is hopefully simple
URL: https://github.com/SSSD/sssd/pull/81 Title: #81: Please see the commit message, the fix is hopefully simple Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file fidencio commented: """ Also, please, split this patch in two parts: "removing new line at the end of file" and "check new line at the end of file". """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261927606 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][+Changes requested] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][edited] SYSDB: Fixing of sudorule without a sudoUser
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Fixing of sudorule without a sudoUser Action: edited Changed field: title Original value: """ SYSDB: Sudorule without a sudoUser returns EINVAL """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][comment] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Title: #83: TESTS: Check new line at end of file spbnick commented: """ @lslebodn I left one suggestion, if that's not what you needed, could you please specify in which way it should be "better"? """ See the full comment at https://github.com/SSSD/sssd/pull/83#issuecomment-261919223 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][comment] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL celestian commented: """ New version pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/80#issuecomment-261919172 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][synchronized] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/80/head:pr80 git checkout pr80 From 4b88046b007428f87eb7d022f34a54333116a375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 16 Nov 2016 10:09:18 +0100 Subject: [PATCH] SYSDB: Fixing of sudorule without a sudoUser This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return ERR_MALFORMED_ENTRY and gracefully skip the malformed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 --- src/db/sysdb_sudo.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 4bd93ff..f5160f1 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +ret = ERR_MALFORMED_ENTRY; goto done; } @@ -977,6 +978,10 @@ sysdb_sudo_store(struct sss_domain_info *domain, /* Multiple CNs are error on server side, we can just ignore this * rule and save the others. Loud debug message is in logs. */ continue; +} else if (ret == ERR_MALFORMED_ENTRY) { +/* Attribute SYSDB_SUDO_CACHE_AT_USER is missing but we can + * continue with next sudoRule. */ +continue; } else if (ret != EOK) { goto done; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#80][synchronized] SYSDB: Sudorule without a sudoUser returns EINVAL
URL: https://github.com/SSSD/sssd/pull/80 Author: celestian Title: #80: SYSDB: Sudorule without a sudoUser returns EINVAL Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/80/head:pr80 git checkout pr80 From f8706ec4e199f6db3d56f59542eea741dd35d551 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 16 Nov 2016 10:09:18 +0100 Subject: [PATCH] SYSDB: Fixinf of sudorule without a sudoUser This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return ERR_MALFORMED_ENTRY and gracefully skip the malformed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 --- src/db/sysdb_sudo.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 4bd93ff..f5160f1 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -874,6 +874,7 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +ret = ERR_MALFORMED_ENTRY; goto done; } @@ -977,6 +978,10 @@ sysdb_sudo_store(struct sss_domain_info *domain, /* Multiple CNs are error on server side, we can just ignore this * rule and save the others. Loud debug message is in logs. */ continue; +} else if (ret == ERR_MALFORMED_ENTRY) { +/* Attribute SYSDB_SUDO_CACHE_AT_USER is missing but we can + * continue with next sudoRule. */ +continue; } else if (ret != EOK) { goto done; } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#83][opened] TESTS: Check new line at end of file
URL: https://github.com/SSSD/sssd/pull/83 Author: lslebodn Title: #83: TESTS: Check new line at end of file Action: opened PR body: """ @spbnick Do you have a better idea how to filter out exceptions in `src/tests/whitespace_test` """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/83/head:pr83 git checkout pr83 From 9cb2e21921605ada794f67178085962961c10f51 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 19 Nov 2016 22:02:07 +0100 Subject: [PATCH] TESTS: Check new line at end of file --- src/external/configlib.m4 | 2 +- src/lib/idmap/sss_idmap.exports | 2 +- src/tests/cwrap/cwrap_test_setup.sh | 2 +- src/tests/whitespace_test | 12 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/external/configlib.m4 b/src/external/configlib.m4 index ad6c1a9..47ca5d0 100644 --- a/src/external/configlib.m4 +++ b/src/external/configlib.m4 @@ -9,4 +9,4 @@ AM_CONDITIONAL([BUILD_CONFIG_LIB], AM_COND_IF([BUILD_CONFIG_LIB], [AC_DEFINE_UNQUOTED(HAVE_CONFIG_LIB, 1, -[Build with internal config library])]) \ No newline at end of file +[Build with internal config library])]) diff --git a/src/lib/idmap/sss_idmap.exports b/src/lib/idmap/sss_idmap.exports index f10feea..8406777 100644 --- a/src/lib/idmap/sss_idmap.exports +++ b/src/lib/idmap/sss_idmap.exports @@ -63,4 +63,4 @@ SSS_IDMAP_0.5 { sss_idmap_ctx_set_extra_slice_init; sss_idmap_add_auto_domain_ex; -} SSS_IDMAP_0.4; \ No newline at end of file +} SSS_IDMAP_0.4; diff --git a/src/tests/cwrap/cwrap_test_setup.sh b/src/tests/cwrap/cwrap_test_setup.sh index 68d731d..e2f78e9 100755 --- a/src/tests/cwrap/cwrap_test_setup.sh +++ b/src/tests/cwrap/cwrap_test_setup.sh @@ -16,4 +16,4 @@ export NSS_WRAPPER_GROUP=$CWRAP_TEST_SRCDIR/group export UID_WRAPPER=1 export UID_WRAPPER_ROOT=1 -export LDB_MODULES_PATH=$ABS_TOP_BUILDDIR/ldb_mod_test_dir \ No newline at end of file +export LDB_MODULES_PATH=$ABS_TOP_BUILDDIR/ldb_mod_test_dir diff --git a/src/tests/whitespace_test b/src/tests/whitespace_test index e972b30..26c6985 100755 --- a/src/tests/whitespace_test +++ b/src/tests/whitespace_test @@ -35,3 +35,15 @@ fi exit found } " + +declare found_file=0 +git ls-files | \ +grep -v "^src/config/testconfigs/noparse.api.conf" | \ +grep -v "^src/tests/cmocka/p11_nssdb/.*db" | \ +while read file; do +test `tail -c 1 $file` && \ +echo "no newline at eof: $file" && \ +found_file=1 +done + +[ $found_file -eq 1] && exit 1 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#82][opened] KRB5: Remove spurious warning in logs
URL: https://github.com/SSSD/sssd/pull/82 Author: lslebodn Title: #82: KRB5: Remove spurious warning in logs Action: opened PR body: """ The option krb5_map_user is empty by default. Therefore we should not confuse users wih warning (Fri Nov 15 09:58:49 2016) [sssd[be[example.com]]] [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/82/head:pr82 git checkout pr82 From 8e0aa3d230195d585bdcb506b38fbe3206b1195f Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 19 Nov 2016 18:55:37 +0100 Subject: [PATCH] KRB5: Remove spurious warning in logs The option krb5_map_user is empty by default. Therefore we should not confuse users wih warning (Fri Nov 15 09:58:49 2016) [sssd[be[example.com]]] [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! --- src/providers/krb5/krb5_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index e968dfa..1389596 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -539,7 +539,7 @@ parse_krb5_map_user(TALLOC_CTX *mem_ctx, } if (krb5_map_user == NULL || strlen(krb5_map_user) == 0) { -DEBUG(SSSDBG_FUNC_DATA, "Warning: krb5_map_user is empty!\n"); +DEBUG(SSSDBG_CONF_SETTINGS, "krb5_map_user is empty!\n"); size = 0; } else { ret = split_on_separator(tmp_ctx, krb5_map_user, ',', true, true, ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [Q] t3222 sssd still showing ipa user after removed from last group
On (15/11/16 10:03), Lukas Slebodnik wrote: >On (15/11/16 09:39), Jakub Hrozek wrote: >>On Wed, Nov 09, 2016 at 04:44:12PM +0100, Petr Cech wrote: >>> Hi all, >>> >>> I came back to ticket #3222 "sssd still showing ipa user after removed from >>> last group" [1]. And I have new knowledge. But I still do not see the light >>> at the end of the tunnel. >>> >>> [1] https://fedorahosted.org/sssd/ticket/3222 >>> >>> I attached patch which enables some basic debug on using of memcache. And >>> two reproducers (with and without memcache) which are based on reproducer >>> written in ticket. >>> >>> If we use memcache, the issue occurs only sometimes. >>> >>> The difference between both cases is mixed state of switch after >>> sss_nss_mc_getgrnam() call in _nss_sss_getgrnam_r() function. >>> >>> Note: code says (for default case): >>> /* if using the mmaped cache failed, >>> * fall back to socket based comms */ >>> >>> >>> Could anyone help, please? >> >>Hi Petr, >> >>this really seems like an issue with memory cache. I'm not an expert >>there, unfortunately, so I wonder what Michal and Lukas think.. >I cannot see any problem with memory cache here. >The same data are stored to memory cache as are returned >to client. If there is a bug then the bug is before storing >data to memory cache. They might be caused by some race condition caused >by different timeout for various entries in memory cache. > BTW, It looks like I can reproduce similar intermitent failures with downstream test (user-membership-list) as well. The only problem is that I cannot reproduce it on el6.8 which has sssd-1.13.3-22. And memory cache was changed last time in sssd-1.13.2 (https://fedorahosted.org/sssd/ticket/2726) The bug has to be on responder side. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org