[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups fidencio commented: """ CI: http://sssd-ci.duckdns.org/logs/job/63/43/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/141#issuecomment-282157874 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#141][synchronized] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Author: fidencio Title: #141: PAM: Use cache_req to perform initgroups lookups Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/141/head:pr141 git checkout pr141 From 143d84ac936f38648f0cd603c54891f9d8554cd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Thu, 2 Feb 2017 13:06:30 +0100 Subject: [PATCH 1/4] CACHE_REQ: Add cache_req_data_set_bypass_cache() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This new cache_req_data method has been added because of the upcoming changes in the PAM responder. For deciding whether to contact the cache, or just query the data provider directly, PAM responder calls pam_initgr_check_timeout() which will return whether the cache entry may still be valid. The cache will be contacted only in case the cache entry is still valid, otherwise the data provider will be called. pam_initgr_check_timeout() basically checks whether the user (being looked up) is still a part of an in-memory hash table. Because the entry is a part of the hash table for really short period of time, and is automatically removed, the communication with the data provider is forced to happen quite often. As the follow-up changes should not modify this behaviour, this function was introduced so we can still call pam_initgr_check_timeout() and pass its result to the cache_req call that will perform the lookup. Related: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano FidĂȘncio --- src/responder/common/cache_req/cache_req.h | 3 +++ src/responder/common/cache_req/cache_req_data.c| 7 +++ src/responder/common/cache_req/cache_req_private.h | 2 ++ src/responder/common/cache_req/cache_req_search.c | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h index 185558d..d0e5ff4 100644 --- a/src/responder/common/cache_req/cache_req.h +++ b/src/responder/common/cache_req/cache_req.h @@ -111,6 +111,9 @@ cache_req_data_host(TALLOC_CTX *mem_ctx, const char *name, const char *alias, const char **attrs); +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, +bool bypass_cache); /* Output data. */ diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c index b2e22ec..729e187 100644 --- a/src/responder/common/cache_req/cache_req_data.c +++ b/src/responder/common/cache_req/cache_req_data.c @@ -357,3 +357,10 @@ cache_req_data_host(TALLOC_CTX *mem_ctx, return cache_req_data_create(mem_ctx, type, ); } + +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, +bool bypass_cache) +{ +data->bypass_cache = bypass_cache; +} diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h index cc47375..3839f5a 100644 --- a/src/responder/common/cache_req/cache_req_private.h +++ b/src/responder/common/cache_req/cache_req_private.h @@ -84,6 +84,8 @@ struct cache_req_data { struct cache_req_cased_name protocol; uint16_t port; } svc; + +bool bypass_cache; }; struct tevent_req * diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index eed82cf..ebbc2c7 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -214,7 +214,7 @@ cache_req_search_send(TALLOC_CTX *mem_ctx, */ state->result = NULL; status = CACHE_OBJECT_MISSING; -if (!cr->plugin->bypass_cache) { +if (!cr->plugin->bypass_cache && !cr->data->bypass_cache) { ret = cache_req_search_cache(state, cr, >result); if (ret != EOK && ret != ENOENT) { goto done; From dd4c7354b9a263d9511233f896caafc07f911d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 2 Feb 2017 13:19:18 +0100 Subject: [PATCH 2/4] PAM: Use cache_req to perform initgroups lookups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PAM responder has been already taking advantage of the cache_req interface, so this patch is just replacing some code that performs initgroups lookups by using cache_req to do so. Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano FidĂȘncio --- src/providers/data_provider.h | 1 - src/responder/pam/pamsrv.h | 1 - src/responder/pam/pamsrv_cmd.c | 476 +++-- 3 files changed, 77 insertions(+), 401 deletions(-) diff --git a/src/providers/data_provider.h
[SSSD] [sssd PR#141][-Changes requested] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups fidencio commented: """ Big thanks to @sumit-bose who helped me with the tests not passing due to the rebase and for pointing out that a whole piece of code that could also be dropped as part of the "PAM: Use cache_req to perform initgroups lookups" patch. I'm updating this new series here and I'd highly recommend to have this patchset re-tested by the reviewers. """ See the full comment at https://github.com/SSSD/sssd/pull/141#issuecomment-282144466 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#167][synchronized] Add missing dyndns_auth option to AD and IPA provider man pages
URL: https://github.com/SSSD/sssd/pull/167 Author: justin-stephenson Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/167/head:pr167 git checkout pr167 From 60238d2900e8100865256a66b9c95fcc404535c8 Mon Sep 17 00:00:00 2001 From: Justin StephensonDate: Thu, 23 Feb 2017 13:14:08 -0500 Subject: [PATCH] MAN: Add dyndns_auth option Add the dyndns_auth option into the AD or IPA provider man pages for more configuration information of nsupdate behavior. --- src/man/sssd-ad.5.xml | 15 +++ src/man/sssd-ipa.5.xml | 15 +++ 2 files changed, 30 insertions(+) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 083aa3d..f9aadc7 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -941,6 +941,21 @@ ad_gpo_map_deny = +my_pam_service +dyndns_auth (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: GSS-TSIG + + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 6dca186..fee6441 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -193,6 +193,21 @@ +dyndns_auth (string) + + +Whether the nsupdate utility should use GSS-TSIG +authentication for secure updates with the DNS +server, insecure updates can be sent by setting +this option to 'none'. + + +Default: GSS-TSIG + + + + + ipa_enable_dns_sites (boolean) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#167][opened] Add missing dyndns_auth option to AD and IPA provider man pages
URL: https://github.com/SSSD/sssd/pull/167 Author: justin-stephenson Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages Action: opened PR body: """ Add the **dyndns_auth** option into the `sssd-ad` and `sssd-ipa` provider man pages for more configuration information regarding nsupdate behavior. There was no ticket for this, I wasn't sure if it was required to create one for this already-implemented option. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/167/head:pr167 git checkout pr167 From e4833d4c87502f3eeb5901ebda51afeee7176121 Mon Sep 17 00:00:00 2001 From: Justin StephensonDate: Thu, 23 Feb 2017 13:14:08 -0500 Subject: [PATCH] MAN: Add dyndns_auth option Add the dyndns_auth option into the AD or IPA provider man pages for more configuration information of nsupdate behavior. --- src/man/sssd-ad.5.xml | 12 src/man/sssd-ipa.5.xml | 12 2 files changed, 24 insertions(+) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 083aa3d..c7f928b 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -941,6 +941,18 @@ ad_gpo_map_deny = +my_pam_service +dyndns_auth (string) + + +Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'. + + +Default: GSS-TSIG + + + + + dyndns_server (string) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 6dca186..10f33c0 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -193,6 +193,18 @@ +dyndns_auth (string) + + +Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'. + + +Default: GSS-TSIG + + + + + ipa_enable_dns_sites (boolean) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#167][comment] Add missing dyndns_auth option to AD and IPA provider man pages
URL: https://github.com/SSSD/sssd/pull/167 Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/167#issuecomment-282076596 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Trac is now read only in preparation for migration to pagure.io
Hi, since fedorahosted.org is going down and we're migrating the sssd project to pagure.io, I've removed permissions in trac from anyone who wasn't TRAC_ADMIN previously. Lukas will send more details about the migration soon.. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups fidencio commented: """ @jhrozek: I'm doing that, but it's going to take some time and I do believe patches will have to be reviewed again (as more changes are being done in order to have the tests passing ...) """ See the full comment at https://github.com/SSSD/sssd/pull/141#issuecomment-281972197 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#152][+Changes requested] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#163][synchronized] Enable the files domain for all sssd configurations
URL: https://github.com/SSSD/sssd/pull/163 Author: jhrozek Title: #163: Enable the files domain for all sssd configurations Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/163/head:pr163 git checkout pr163 From 47a28714c047385b9800473627f570662215670d Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Tue, 21 Feb 2017 16:34:45 +0100 Subject: [PATCH 1/5] MONITOR: Enable an implicit files domain if one is not configured Resolves: https://fedorahosted.org/sssd/ticket/3112 If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. --- src/conf_macros.m4| 12 src/confdb/confdb.c | 165 ++ src/confdb/confdb.h | 3 + src/monitor/monitor.c | 11 4 files changed, 191 insertions(+) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 427b0e0..bd65217 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -903,3 +903,15 @@ AC_DEFUN([WITH_SECRETS_DB_PATH], AC_SUBST(secdbpath) AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases]) ]) + +AC_ARG_ENABLE([files-domain], + [AS_HELP_STRING([--enable-files-domain], + [If this feature is enabled, then SSSD always enables + a domain with id_provider=files even if the domain + is not specified in the config file + [default=no]])], + [enable_files_domain=$enableval], + [enable_files_domain=no]) +AS_IF([test x$enable_files_domain = xyes], + AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1], + [whether to build unconditionally enable files domain])) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index c7afd68..980cabc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1643,3 +1643,168 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx, talloc_free(tmp_ctx); return ret; } + +#ifdef ADD_FILES_DOMAIN +static int confdb_has_files_domain(struct confdb_ctx *cdb) +{ +TALLOC_CTX *tmp_ctx = NULL; +struct ldb_dn *dn = NULL; +struct ldb_result *res = NULL; +static const char *attrs[] = {CONFDB_DOMAIN_ID_PROVIDER, NULL}; +const char *id_provider = NULL; +int ret; +unsigned int i; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); +if (dn == NULL) { +ret = ENOMEM; +goto done; +} + +ret = ldb_search(cdb->ldb, tmp_ctx, , dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); +if (ret != LDB_SUCCESS) { +ret = EIO; +goto done; +} + +for (i = 0; i < res->count; i++) { +id_provider = ldb_msg_find_attr_as_string(res->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); +if (id_provider == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, + "The object [%s] doesn't have a id_provider\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); +ret = EINVAL; +goto done; +} + +if (strcasecmp(id_provider, "files") == 0) { +break; +} +} + +ret = i < res->count ? EOK : ENOENT; +done: +talloc_free(tmp_ctx); +return ret; +} + +static int create_files_domain(struct confdb_ctx *cdb, + const char *name) +{ +TALLOC_CTX *tmp_ctx = NULL; +errno_t ret; +char *cdb_path = NULL; +const char *val[2] = {NULL, NULL}; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); +return ENOMEM; +} + +cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); +if (cdb_path == NULL) { +ret = ENOMEM; +goto done; +} + +val[0] = "files"; +ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val); +if (ret != EOK) { +DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); +goto done; +} + +ret = EOK; +done: +talloc_free(tmp_ctx); +return ret; +} + +static int activate_files_domain(struct confdb_ctx *cdb, + const char *name) +{ +errno_t ret; +TALLOC_CTX *tmp_ctx; +char *monitor_domlist; +const char *domlist[2] = { NULL, NULL }; + +tmp_ctx = talloc_new(NULL); +
[SSSD] [sssd PR#163][synchronized] Enable the files domain for all sssd configurations
URL: https://github.com/SSSD/sssd/pull/163 Author: jhrozek Title: #163: Enable the files domain for all sssd configurations Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/163/head:pr163 git checkout pr163 From 47a28714c047385b9800473627f570662215670d Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Tue, 21 Feb 2017 16:34:45 +0100 Subject: [PATCH 1/5] MONITOR: Enable an implicit files domain if one is not configured Resolves: https://fedorahosted.org/sssd/ticket/3112 If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. --- src/conf_macros.m4| 12 src/confdb/confdb.c | 165 ++ src/confdb/confdb.h | 3 + src/monitor/monitor.c | 11 4 files changed, 191 insertions(+) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 427b0e0..bd65217 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -903,3 +903,15 @@ AC_DEFUN([WITH_SECRETS_DB_PATH], AC_SUBST(secdbpath) AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases]) ]) + +AC_ARG_ENABLE([files-domain], + [AS_HELP_STRING([--enable-files-domain], + [If this feature is enabled, then SSSD always enables + a domain with id_provider=files even if the domain + is not specified in the config file + [default=no]])], + [enable_files_domain=$enableval], + [enable_files_domain=no]) +AS_IF([test x$enable_files_domain = xyes], + AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1], + [whether to build unconditionally enable files domain])) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index c7afd68..980cabc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1643,3 +1643,168 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx, talloc_free(tmp_ctx); return ret; } + +#ifdef ADD_FILES_DOMAIN +static int confdb_has_files_domain(struct confdb_ctx *cdb) +{ +TALLOC_CTX *tmp_ctx = NULL; +struct ldb_dn *dn = NULL; +struct ldb_result *res = NULL; +static const char *attrs[] = {CONFDB_DOMAIN_ID_PROVIDER, NULL}; +const char *id_provider = NULL; +int ret; +unsigned int i; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); +if (dn == NULL) { +ret = ENOMEM; +goto done; +} + +ret = ldb_search(cdb->ldb, tmp_ctx, , dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); +if (ret != LDB_SUCCESS) { +ret = EIO; +goto done; +} + +for (i = 0; i < res->count; i++) { +id_provider = ldb_msg_find_attr_as_string(res->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); +if (id_provider == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, + "The object [%s] doesn't have a id_provider\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); +ret = EINVAL; +goto done; +} + +if (strcasecmp(id_provider, "files") == 0) { +break; +} +} + +ret = i < res->count ? EOK : ENOENT; +done: +talloc_free(tmp_ctx); +return ret; +} + +static int create_files_domain(struct confdb_ctx *cdb, + const char *name) +{ +TALLOC_CTX *tmp_ctx = NULL; +errno_t ret; +char *cdb_path = NULL; +const char *val[2] = {NULL, NULL}; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); +return ENOMEM; +} + +cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); +if (cdb_path == NULL) { +ret = ENOMEM; +goto done; +} + +val[0] = "files"; +ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val); +if (ret != EOK) { +DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); +goto done; +} + +ret = EOK; +done: +talloc_free(tmp_ctx); +return ret; +} + +static int activate_files_domain(struct confdb_ctx *cdb, + const char *name) +{ +errno_t ret; +TALLOC_CTX *tmp_ctx; +char *monitor_domlist; +const char *domlist[2] = { NULL, NULL }; + +tmp_ctx = talloc_new(NULL); +
[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface pbrezina commented: """ Ack from my side. We can push these patches. I will modify the integration to some extend for `secrets` needs. """ See the full comment at https://github.com/SSSD/sssd/pull/152#issuecomment-281951656 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups jhrozek commented: """ @fidencio , can you rebase this branch atop Sumit's PKINIT patches so we can merge it? """ See the full comment at https://github.com/SSSD/sssd/pull/141#issuecomment-281947395 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#141][+Changes requested] PAM: Use cache_req to perform initgroups lookups
URL: https://github.com/SSSD/sssd/pull/141 Title: #141: PAM: Use cache_req to perform initgroups lookups Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#153][-Changes requested] sss_cache: User/groups invalidation in domain cache
URL: https://github.com/SSSD/sssd/pull/153 Title: #153: sss_cache: User/groups invalidation in domain cache Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed
URL: https://github.com/SSSD/sssd/pull/165 Title: #165: selinux: Do not fail if SELinux is not managed lslebodn commented: """ On (23/02/17 00:40), Jakub Hrozek wrote: >On Wed, Feb 22, 2017 at 10:20:08AM -0800, mzidek-rh wrote: >> Previously we failed if selinux_is_managed returned >> 0 or -1 (not managed or error). With this patch we >> only fail in case of error and continue normally if >> selinux is not managed by libsemanage at all. >> >> Resolves: >> https://fedorahosted.org/sssd/ticket/3297 >> You can view, comment on, or merge this pull request online at: >> >> https://github.com/SSSD/sssd/pull/165 > >So far I only scrolled through the diff, but it looks OK. Did you try >building the package for @adelton to see if it fixes the issue he was >seeing? > Firstly we need to ensure that we do not break selinux integration. Then we can check use case with disabled SELinux. LS """ See the full comment at https://github.com/SSSD/sssd/pull/165#issuecomment-281942899 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#152][-Changes requested] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface jhrozek commented: """ @lslebodn could you please check if you agree with how the curlwrap tool is built and detected during the intgcheck target? The intent was to skip building it on old platforms or when building without libcurl. In that case, the integration tests that need the curlwrap tool are skipped. """ See the full comment at https://github.com/SSSD/sssd/pull/152#issuecomment-281942128 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface jhrozek commented: """ Thank you, hopefully I addressed all concerns. """ See the full comment at https://github.com/SSSD/sssd/pull/152#issuecomment-281941839 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#162][-Changes requested] cache_req: use own namespace for UPNs
URL: https://github.com/SSSD/sssd/pull/162 Title: #162: cache_req: use own namespace for UPNs Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#162][comment] cache_req: use own namespace for UPNs
URL: https://github.com/SSSD/sssd/pull/162 Title: #162: cache_req: use own namespace for UPNs sumit-bose commented: """ Oops, I'm sorry, I'm quite sure I run 'make check' a couple of times but I didn't run 'make clean' so I guess this test wasn't rebuild. The new version should fix it. """ See the full comment at https://github.com/SSSD/sssd/pull/162#issuecomment-281938465 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#164][closed] Remove unused import of run_shell from tests
URL: https://github.com/SSSD/sssd/pull/164 Author: jhrozek Title: #164: Remove unused import of run_shell from tests Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/164/head:pr164 git checkout pr164 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#164][-Accepted] Remove unused import of run_shell from tests
URL: https://github.com/SSSD/sssd/pull/164 Title: #164: Remove unused import of run_shell from tests Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#164][comment] Remove unused import of run_shell from tests
URL: https://github.com/SSSD/sssd/pull/164 Title: #164: Remove unused import of run_shell from tests jhrozek commented: """ * master: 1b55ac98db6a319d45edae6c27ff3804f1f4d28a """ See the full comment at https://github.com/SSSD/sssd/pull/164#issuecomment-281938239 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#162][synchronized] cache_req: use own namespace for UPNs
URL: https://github.com/SSSD/sssd/pull/162 Author: sumit-bose Title: #162: cache_req: use own namespace for UPNs Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/162/head:pr162 git checkout pr162 From 8272eb62e06f81b70895547358de9cd7cda248a4 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Wed, 22 Feb 2017 14:34:06 +0100 Subject: [PATCH] cache_req: use own namespace for UPNs If the UPN use the same domain name as the configured domain an unsuccessful lookup by name will already create an entry in the negative cache. If the lookup by UPN would use the same namespace the lookup will immediately be finished because there would already be an entry in the negative cache. Resolves https://fedorahosted.org/sssd/ticket/3313 --- Makefile.am| 1 + .../cache_req/plugins/cache_req_user_by_upn.c | 4 +- src/responder/common/negcache.c| 36 src/responder/common/negcache.h| 4 ++ src/tests/cmocka/test_nss_srv.c| 49 ++ src/tests/cmocka/test_responder_cache_req.c| 6 +-- 6 files changed, 95 insertions(+), 5 deletions(-) diff --git a/Makefile.am b/Makefile.am index e676e18..8e8eb9a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2192,6 +2192,7 @@ nss_srv_tests_CFLAGS = \ $(AM_CFLAGS) nss_srv_tests_LDFLAGS = \ -Wl,-wrap,sss_ncache_check_user \ +-Wl,-wrap,sss_ncache_check_upn \ -Wl,-wrap,sss_ncache_check_uid \ -Wl,-wrap,sss_ncache_check_sid \ -Wl,-wrap,sss_ncache_check_cert \ diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c index f496479..9c69573 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c @@ -66,7 +66,7 @@ cache_req_user_by_upn_ncache_check(struct sss_nc_ctx *ncache, struct sss_domain_info *domain, struct cache_req_data *data) { -return sss_ncache_check_user(ncache, domain, data->name.lookup); +return sss_ncache_check_upn(ncache, domain, data->name.lookup); } static errno_t @@ -74,7 +74,7 @@ cache_req_user_by_upn_ncache_add(struct sss_nc_ctx *ncache, struct sss_domain_info *domain, struct cache_req_data *data) { -return sss_ncache_set_user(ncache, false, domain, data->name.lookup); +return sss_ncache_set_upn(ncache, false, domain, data->name.lookup); } static errno_t diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 944a06e..084c47a 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -289,6 +289,24 @@ int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, return sss_cache_check_ent(ctx, dom, name, sss_ncache_check_user_int); } +int sss_ncache_check_upn(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name) +{ +char *neg_cache_name = NULL; +errno_t ret; + +neg_cache_name = talloc_asprintf(ctx, "@%s", name); +if (neg_cache_name == NULL) { +return ENOMEM; +} + +ret = sss_cache_check_ent(ctx, dom, neg_cache_name, + sss_ncache_check_user_int); +talloc_free(neg_cache_name); + +return ret; +} + int sss_ncache_check_group(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, const char *name) { @@ -540,6 +558,24 @@ int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_user_int); } +int sss_ncache_set_upn(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ +char *neg_cache_name = NULL; +errno_t ret; + +neg_cache_name = talloc_asprintf(ctx, "@%s", name); +if (neg_cache_name == NULL) { +return ENOMEM; +} + +ret = sss_ncache_set_ent(ctx, permanent, dom, neg_cache_name, + sss_ncache_set_user_int); +talloc_free(neg_cache_name); + +return ret; +} + int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, struct sss_domain_info *dom, const char *name) { diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h index 8af736a..782ec14 100644 --- a/src/responder/common/negcache.h +++ b/src/responder/common/negcache.h @@ -33,6 +33,8 @@ uint32_t sss_ncache_get_timeout(struct sss_nc_ctx *ctx); /* check if the user is expired according to the passed in time to live */ int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, const char *name); +int
[SSSD] [sssd PR#137][comment] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Title: #137: Initial pkinit support jhrozek commented: """ master: 2d527aab0bab0c5323b7ea09c9a8c3820f4f8736 52f45837ded98564968da42229b37db6a36ad627 ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 82c5971fafe6063a90289ebba08035fc49ae8590 dd17a3aaddab6f122dff3bd15b7005464c07c0ea f70d946f8cde55b6bdc09345e22849842bca4387 d4757440418c7b73bbecec7e40baf6dfe8cc9460 254f3898cc9fb9d76e12d72a2955906c49748e6d 327a16652bbafbb77b5b90cc7abac3ded7c14364 f561c2bd3c72631ccb7ad6d0b5f6541b27b0922d """ See the full comment at https://github.com/SSSD/sssd/pull/137#issuecomment-281937886 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#137][-Accepted] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Title: #137: Initial pkinit support Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#137][closed] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Author: sumit-bose Title: #137: Initial pkinit support Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/137/head:pr137 git checkout pr137 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#137][+Pushed] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Title: #137: Initial pkinit support Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#137][comment] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Title: #137: Initial pkinit support jhrozek commented: """ On Wed, Feb 22, 2017 at 09:29:02AM -0800, sumit-bose wrote: > Thank you for the rigid review, Since the review took so long, it better be good :-) > I've fixed the comments move some strucht members to a previous patch to not > break the individual compilation. All my comments were addressed and the patches still work fine. ACK. """ See the full comment at https://github.com/SSSD/sssd/pull/137#issuecomment-281937150 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#137][+Accepted] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Title: #137: Initial pkinit support Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed
URL: https://github.com/SSSD/sssd/pull/165 Title: #165: selinux: Do not fail if SELinux is not managed adelton commented: """ > Did you try building the package for @adelton to see if it fixes the issue he > was seeing? I'll be happy to test either RHEL 7 or Fedora 24 builds, for https://bugzilla.redhat.com/show_bug.cgi?id=1415167 reproducer. Copr repo would be ideal. """ See the full comment at https://github.com/SSSD/sssd/pull/165#issuecomment-281933170 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#162][+Changes requested] cache_req: use own namespace for UPNs
URL: https://github.com/SSSD/sssd/pull/162 Title: #162: cache_req: use own namespace for UPNs Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#162][comment] cache_req: use own namespace for UPNs
URL: https://github.com/SSSD/sssd/pull/162 Title: #162: cache_req: use own namespace for UPNs pbrezina commented: """ Hi Sumit, I'm afraid that `cache_req` tests fail now. """ See the full comment at https://github.com/SSSD/sssd/pull/162#issuecomment-281929977 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#152][+Changes requested] Add a tevent wrapper around libcurl's asynchronous interface
URL: https://github.com/SSSD/sssd/pull/152 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed
URL: https://github.com/SSSD/sssd/pull/165 Title: #165: selinux: Do not fail if SELinux is not managed jhrozek commented: """ On Wed, Feb 22, 2017 at 10:20:08AM -0800, mzidek-rh wrote: > Previously we failed if selinux_is_managed returned > 0 or -1 (not managed or error). With this patch we > only fail in case of error and continue normally if > selinux is not managed by libsemanage at all. > > Resolves: > https://fedorahosted.org/sssd/ticket/3297 > You can view, comment on, or merge this pull request online at: > > https://github.com/SSSD/sssd/pull/165 So far I only scrolled through the diff, but it looks OK. Did you try building the package for @adelton to see if it fixes the issue he was seeing? """ See the full comment at https://github.com/SSSD/sssd/pull/165#issuecomment-281929604 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org