date:20170223

[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

fidencio commented:
"""
CI: http://sssd-ci.duckdns.org/logs/job/63/43/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/141#issuecomment-282157874
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][synchronized] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread fidencio

   URL: https://github.com/SSSD/sssd/pull/141
Author: fidencio
 Title: #141: PAM: Use cache_req to perform initgroups lookups
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/141/head:pr141
git checkout pr141
From 143d84ac936f38648f0cd603c54891f9d8554cd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Thu, 2 Feb 2017 13:06:30 +0100
Subject: [PATCH 1/4] CACHE_REQ: Add cache_req_data_set_bypass_cache()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This new cache_req_data method has been added because of the upcoming
changes in the PAM responder.

For deciding whether to contact the cache, or just query the data
provider directly, PAM responder calls pam_initgr_check_timeout() which
will return whether the cache entry may still be valid. The cache will
be contacted only in case the cache entry is still valid, otherwise the
data provider will be called.

pam_initgr_check_timeout() basically checks whether the user (being
looked up) is still a part of an in-memory hash table. Because the entry
is a part of the hash table for really short period of time, and is
automatically removed, the communication with the data provider is forced
to happen quite often.

As the follow-up changes should not modify this behaviour, this function
was introduced so we can still call pam_initgr_check_timeout() and pass
its result to the cache_req call that will perform the lookup.

Related:
https://fedorahosted.org/sssd/ticket/1126

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/cache_req.h | 3 +++
 src/responder/common/cache_req/cache_req_data.c| 7 +++
 src/responder/common/cache_req/cache_req_private.h | 2 ++
 src/responder/common/cache_req/cache_req_search.c  | 2 +-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 185558d..d0e5ff4 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -111,6 +111,9 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
 const char *name,
 const char *alias,
 const char **attrs);
+void
+cache_req_data_set_bypass_cache(struct cache_req_data *data,
+bool bypass_cache);
 
 /* Output data. */
 
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index b2e22ec..729e187 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -357,3 +357,10 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
 
 return cache_req_data_create(mem_ctx, type, );
 }
+
+void
+cache_req_data_set_bypass_cache(struct cache_req_data *data,
+bool bypass_cache)
+{
+data->bypass_cache = bypass_cache;
+}
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index cc47375..3839f5a 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -84,6 +84,8 @@ struct cache_req_data {
 struct cache_req_cased_name protocol;
 uint16_t port;
 } svc;
+
+bool bypass_cache;
 };
 
 struct tevent_req *
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index eed82cf..ebbc2c7 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -214,7 +214,7 @@ cache_req_search_send(TALLOC_CTX *mem_ctx,
  */
 state->result = NULL;
 status = CACHE_OBJECT_MISSING;
-if (!cr->plugin->bypass_cache) {
+if (!cr->plugin->bypass_cache && !cr->data->bypass_cache) {
 ret = cache_req_search_cache(state, cr, >result);
 if (ret != EOK && ret != ENOENT) {
 goto done;

From dd4c7354b9a263d9511233f896caafc07f911d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Thu, 2 Feb 2017 13:19:18 +0100
Subject: [PATCH 2/4] PAM: Use cache_req to perform initgroups lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PAM responder has been already taking advantage of the cache_req
interface, so this patch is just replacing some code that performs
initgroups lookups by using cache_req to do so.

Resolves:
https://fedorahosted.org/sssd/ticket/1126

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/data_provider.h  |   1 -
 src/responder/pam/pamsrv.h |   1 -
 src/responder/pam/pamsrv_cmd.c | 476 +++--
 3 files changed, 77 insertions(+), 401 deletions(-)

diff --git a/src/providers/data_provider.h

[SSSD] [sssd PR#141][-Changes requested] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

fidencio commented:
"""
Big thanks to @sumit-bose who helped me with the tests not passing due to the 
rebase and for pointing out that a whole piece of code that could also be 
dropped as part of the "PAM: Use cache_req to perform initgroups lookups" patch.

I'm updating this new series here and I'd highly recommend to have this 
patchset re-tested by the reviewers.


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/141#issuecomment-282144466
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#167][synchronized] Add missing dyndns_auth option to AD and IPA provider man pages

2017-02-23 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/167
Author: justin-stephenson
 Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/167/head:pr167
git checkout pr167
From 60238d2900e8100865256a66b9c95fcc404535c8 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 23 Feb 2017 13:14:08 -0500
Subject: [PATCH] MAN: Add dyndns_auth option

Add the dyndns_auth option into the AD or IPA provider man pages for
more configuration information of nsupdate behavior.
---
 src/man/sssd-ad.5.xml  | 15 +++
 src/man/sssd-ipa.5.xml | 15 +++
 2 files changed, 30 insertions(+)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 083aa3d..f9aadc7 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -941,6 +941,21 @@ ad_gpo_map_deny = +my_pam_service
 
 
 
+dyndns_auth (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG
+authentication for secure updates with the DNS
+server, insecure updates can be sent by setting
+this option to 'none'.
+
+
+Default: GSS-TSIG
+
+
+
+
+
 dyndns_server (string)
 
 
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 6dca186..fee6441 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -193,6 +193,21 @@
 
 
 
+dyndns_auth (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG
+authentication for secure updates with the DNS
+server, insecure updates can be sent by setting
+this option to 'none'.
+
+
+Default: GSS-TSIG
+
+
+
+
+
 ipa_enable_dns_sites (boolean)
 
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#167][opened] Add missing dyndns_auth option to AD and IPA provider man pages

2017-02-23 Thread justin-stephenson

   URL: https://github.com/SSSD/sssd/pull/167
Author: justin-stephenson
 Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages
Action: opened

PR body:
"""
Add the **dyndns_auth** option into the `sssd-ad` and `sssd-ipa` provider man 
pages for
more configuration information regarding nsupdate behavior.

There was no ticket for this, I wasn't sure if it was required to create one 
for this already-implemented option.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/167/head:pr167
git checkout pr167
From e4833d4c87502f3eeb5901ebda51afeee7176121 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 23 Feb 2017 13:14:08 -0500
Subject: [PATCH] MAN: Add dyndns_auth option

Add the dyndns_auth option into the AD or IPA provider man pages for
more configuration information of nsupdate behavior.
---
 src/man/sssd-ad.5.xml  | 12 
 src/man/sssd-ipa.5.xml | 12 
 2 files changed, 24 insertions(+)

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 083aa3d..c7f928b 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -941,6 +941,18 @@ ad_gpo_map_deny = +my_pam_service
 
 
 
+dyndns_auth (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'.
+
+
+Default: GSS-TSIG
+
+
+
+
+
 dyndns_server (string)
 
 
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 6dca186..10f33c0 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -193,6 +193,18 @@
 
 
 
+dyndns_auth (string)
+
+
+Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'.
+
+
+Default: GSS-TSIG
+
+
+
+
+
 ipa_enable_dns_sites (boolean)
 
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#167][comment] Add missing dyndns_auth option to AD and IPA provider man pages

2017-02-23 Thread centos-ci

  URL: https://github.com/SSSD/sssd/pull/167
Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages

centos-ci commented:
"""
Can one of the admins verify this patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/167#issuecomment-282076596
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Trac is now read only in preparation for migration to pagure.io

2017-02-23 Thread Jakub Hrozek

Hi,

since fedorahosted.org is going down and we're migrating the sssd
project to pagure.io, I've removed permissions in trac from anyone who
wasn't TRAC_ADMIN previously.

Lukas will send more details about the migration soon..
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread fidencio

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

fidencio commented:
"""
@jhrozek: I'm doing that, but it's going to take some time and I do believe 
patches will have to be reviewed again (as more changes are being done in order 
to have the tests passing ...)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/141#issuecomment-281972197
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][+Changes requested] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#163][synchronized] Enable the files domain for all sssd configurations

2017-02-23 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/163
Author: jhrozek
 Title: #163: Enable the files domain for all sssd configurations
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/163/head:pr163
git checkout pr163
From 47a28714c047385b9800473627f570662215670d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 21 Feb 2017 16:34:45 +0100
Subject: [PATCH 1/5] MONITOR: Enable an implicit files domain if one is not
 configured

Resolves:
https://fedorahosted.org/sssd/ticket/3112

If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
  implicit SSSD files domain is added
* this domain is always first in the list

The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
---
 src/conf_macros.m4|  12 
 src/confdb/confdb.c   | 165 ++
 src/confdb/confdb.h   |   3 +
 src/monitor/monitor.c |  11 
 4 files changed, 191 insertions(+)

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 427b0e0..bd65217 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -903,3 +903,15 @@ AC_DEFUN([WITH_SECRETS_DB_PATH],
 AC_SUBST(secdbpath)
 AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases])
   ])
+
+AC_ARG_ENABLE([files-domain],
+  [AS_HELP_STRING([--enable-files-domain],
+  [If this feature is enabled, then SSSD always enables
+   a domain with id_provider=files even if the domain
+   is not specified in the config file
+  [default=no]])],
+  [enable_files_domain=$enableval],
+  [enable_files_domain=no])
+AS_IF([test x$enable_files_domain = xyes],
+  AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1],
+  [whether to build unconditionally enable files domain]))
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c7afd68..980cabc 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1643,3 +1643,168 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
 talloc_free(tmp_ctx);
 return ret;
 }
+
+#ifdef ADD_FILES_DOMAIN
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+struct ldb_dn *dn = NULL;
+struct ldb_result *res = NULL;
+static const char *attrs[] = {CONFDB_DOMAIN_ID_PROVIDER, NULL};
+const char *id_provider = NULL;
+int ret;
+unsigned int i;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+if (dn == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = ldb_search(cdb->ldb, tmp_ctx, , dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+if (ret != LDB_SUCCESS) {
+ret = EIO;
+goto done;
+}
+
+for (i = 0; i < res->count; i++) {
+id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+  CONFDB_DOMAIN_ID_PROVIDER,
+  NULL);
+if (id_provider == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "The object [%s] doesn't have a id_provider\n",
+   ldb_dn_get_linearized(res->msgs[i]->dn));
+ret = EINVAL;
+goto done;
+}
+
+if (strcasecmp(id_provider, "files") == 0) {
+break;
+}
+}
+
+ret = i < res->count ? EOK : ENOENT;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int create_files_domain(struct confdb_ctx *cdb,
+   const char *name)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+errno_t ret;
+char *cdb_path = NULL;
+const char *val[2] = {NULL, NULL};
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+return ENOMEM;
+}
+
+cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
+if (cdb_path == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+val[0] = "files";
+ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
+  ret, sss_strerror(ret));
+goto done;
+}
+
+ret = EOK;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int activate_files_domain(struct confdb_ctx *cdb,
+ const char *name)
+{
+errno_t ret;
+TALLOC_CTX *tmp_ctx;
+char *monitor_domlist;
+const char *domlist[2] = { NULL, NULL };
+
+tmp_ctx = talloc_new(NULL);
+

[SSSD] [sssd PR#163][synchronized] Enable the files domain for all sssd configurations

2017-02-23 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/163
Author: jhrozek
 Title: #163: Enable the files domain for all sssd configurations
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/163/head:pr163
git checkout pr163
From 47a28714c047385b9800473627f570662215670d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 21 Feb 2017 16:34:45 +0100
Subject: [PATCH 1/5] MONITOR: Enable an implicit files domain if one is not
 configured

Resolves:
https://fedorahosted.org/sssd/ticket/3112

If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
  implicit SSSD files domain is added
* this domain is always first in the list

The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
---
 src/conf_macros.m4|  12 
 src/confdb/confdb.c   | 165 ++
 src/confdb/confdb.h   |   3 +
 src/monitor/monitor.c |  11 
 4 files changed, 191 insertions(+)

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 427b0e0..bd65217 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -903,3 +903,15 @@ AC_DEFUN([WITH_SECRETS_DB_PATH],
 AC_SUBST(secdbpath)
 AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases])
   ])
+
+AC_ARG_ENABLE([files-domain],
+  [AS_HELP_STRING([--enable-files-domain],
+  [If this feature is enabled, then SSSD always enables
+   a domain with id_provider=files even if the domain
+   is not specified in the config file
+  [default=no]])],
+  [enable_files_domain=$enableval],
+  [enable_files_domain=no])
+AS_IF([test x$enable_files_domain = xyes],
+  AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1],
+  [whether to build unconditionally enable files domain]))
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c7afd68..980cabc 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1643,3 +1643,168 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
 talloc_free(tmp_ctx);
 return ret;
 }
+
+#ifdef ADD_FILES_DOMAIN
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+struct ldb_dn *dn = NULL;
+struct ldb_result *res = NULL;
+static const char *attrs[] = {CONFDB_DOMAIN_ID_PROVIDER, NULL};
+const char *id_provider = NULL;
+int ret;
+unsigned int i;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+if (dn == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = ldb_search(cdb->ldb, tmp_ctx, , dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+if (ret != LDB_SUCCESS) {
+ret = EIO;
+goto done;
+}
+
+for (i = 0; i < res->count; i++) {
+id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+  CONFDB_DOMAIN_ID_PROVIDER,
+  NULL);
+if (id_provider == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "The object [%s] doesn't have a id_provider\n",
+   ldb_dn_get_linearized(res->msgs[i]->dn));
+ret = EINVAL;
+goto done;
+}
+
+if (strcasecmp(id_provider, "files") == 0) {
+break;
+}
+}
+
+ret = i < res->count ? EOK : ENOENT;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int create_files_domain(struct confdb_ctx *cdb,
+   const char *name)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+errno_t ret;
+char *cdb_path = NULL;
+const char *val[2] = {NULL, NULL};
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+return ENOMEM;
+}
+
+cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
+if (cdb_path == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+val[0] = "files";
+ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
+  ret, sss_strerror(ret));
+goto done;
+}
+
+ret = EOK;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int activate_files_domain(struct confdb_ctx *cdb,
+ const char *name)
+{
+errno_t ret;
+TALLOC_CTX *tmp_ctx;
+char *monitor_domlist;
+const char *domlist[2] = { NULL, NULL };
+
+tmp_ctx = talloc_new(NULL);
+

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

pbrezina commented:
"""
Ack from my side. We can push these patches. I will modify the integration to 
some extend for `secrets` needs.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-281951656
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

jhrozek commented:
"""
@fidencio , can you rebase this branch atop Sumit's PKINIT patches so we can 
merge it?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/141#issuecomment-281947395
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][+Changes requested] PAM: Use cache_req to perform initgroups lookups

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#153][-Changes requested] sss_cache: User/groups invalidation in domain cache

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/153
Title: #153: sss_cache: User/groups invalidation in domain cache

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed

2017-02-23 Thread lslebodn

  URL: https://github.com/SSSD/sssd/pull/165
Title: #165: selinux: Do not fail if SELinux is not managed

lslebodn commented:
"""
On (23/02/17 00:40), Jakub Hrozek wrote:
>On Wed, Feb 22, 2017 at 10:20:08AM -0800, mzidek-rh wrote:
>> Previously we failed if selinux_is_managed returned
>> 0 or -1 (not managed or error). With this patch we
>> only fail in case of error and continue normally if
>> selinux is not managed by libsemanage at all.
>> 
>> Resolves:
>> https://fedorahosted.org/sssd/ticket/3297
>> You can view, comment on, or merge this pull request online at:
>> 
>>   https://github.com/SSSD/sssd/pull/165
>
>So far I only scrolled through the diff, but it looks OK. Did you try
>building the package for @adelton to see if it fixes the issue he was
>seeing?
>
Firstly we need to ensure that we do not break selinux integration.
Then we can check use case with disabled SELinux.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/165#issuecomment-281942899
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][-Changes requested] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
@lslebodn could you please check if you agree with how the curlwrap tool is 
built and detected during the intgcheck target? The intent was to skip building 
it on old platforms or when building without libcurl. In that case, the 
integration tests that need the curlwrap tool are skipped.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-281942128
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
Thank you, hopefully I addressed all concerns. 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-281941839
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#162][-Changes requested] cache_req: use own namespace for UPNs

2017-02-23 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/162
Title: #162: cache_req: use own namespace for UPNs

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#162][comment] cache_req: use own namespace for UPNs

2017-02-23 Thread sumit-bose

  URL: https://github.com/SSSD/sssd/pull/162
Title: #162: cache_req: use own namespace for UPNs

sumit-bose commented:
"""
Oops, I'm sorry, I'm quite sure I run 'make check' a couple of times but I 
didn't run 'make clean' so I guess this test wasn't rebuild. The new version 
should fix it.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/162#issuecomment-281938465
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#164][closed] Remove unused import of run_shell from tests

2017-02-23 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/164
Author: jhrozek
 Title: #164: Remove unused import of run_shell from tests
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/164/head:pr164
git checkout pr164
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#164][-Accepted] Remove unused import of run_shell from tests

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/164
Title: #164: Remove unused import of run_shell from tests

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#164][comment] Remove unused import of run_shell from tests

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/164
Title: #164: Remove unused import of run_shell from tests

jhrozek commented:
"""
* master: 1b55ac98db6a319d45edae6c27ff3804f1f4d28a
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/164#issuecomment-281938239
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#162][synchronized] cache_req: use own namespace for UPNs

2017-02-23 Thread sumit-bose

   URL: https://github.com/SSSD/sssd/pull/162
Author: sumit-bose
 Title: #162: cache_req: use own namespace for UPNs
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/162/head:pr162
git checkout pr162
From 8272eb62e06f81b70895547358de9cd7cda248a4 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 22 Feb 2017 14:34:06 +0100
Subject: [PATCH] cache_req: use own namespace for UPNs

If the UPN use the same domain name as the configured domain an
unsuccessful lookup by name will already create an entry in the negative
cache. If the lookup by UPN would use the same namespace the lookup will
immediately be finished because there would already be an entry in the
negative cache.

Resolves https://fedorahosted.org/sssd/ticket/3313
---
 Makefile.am|  1 +
 .../cache_req/plugins/cache_req_user_by_upn.c  |  4 +-
 src/responder/common/negcache.c| 36 
 src/responder/common/negcache.h|  4 ++
 src/tests/cmocka/test_nss_srv.c| 49 ++
 src/tests/cmocka/test_responder_cache_req.c|  6 +--
 6 files changed, 95 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index e676e18..8e8eb9a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2192,6 +2192,7 @@ nss_srv_tests_CFLAGS = \
 $(AM_CFLAGS)
 nss_srv_tests_LDFLAGS = \
 -Wl,-wrap,sss_ncache_check_user \
+-Wl,-wrap,sss_ncache_check_upn \
 -Wl,-wrap,sss_ncache_check_uid \
 -Wl,-wrap,sss_ncache_check_sid \
 -Wl,-wrap,sss_ncache_check_cert \
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
index f496479..9c69573 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
@@ -66,7 +66,7 @@ cache_req_user_by_upn_ncache_check(struct sss_nc_ctx *ncache,
struct sss_domain_info *domain,
struct cache_req_data *data)
 {
-return sss_ncache_check_user(ncache, domain, data->name.lookup);
+return sss_ncache_check_upn(ncache, domain, data->name.lookup);
 }
 
 static errno_t
@@ -74,7 +74,7 @@ cache_req_user_by_upn_ncache_add(struct sss_nc_ctx *ncache,
  struct sss_domain_info *domain,
  struct cache_req_data *data)
 {
-return sss_ncache_set_user(ncache, false, domain, data->name.lookup);
+return sss_ncache_set_upn(ncache, false, domain, data->name.lookup);
 }
 
 static errno_t
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 944a06e..084c47a 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -289,6 +289,24 @@ int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom,
 return sss_cache_check_ent(ctx, dom, name, sss_ncache_check_user_int);
 }
 
+int sss_ncache_check_upn(struct sss_nc_ctx *ctx, struct sss_domain_info *dom,
+ const char *name)
+{
+char *neg_cache_name = NULL;
+errno_t ret;
+
+neg_cache_name = talloc_asprintf(ctx, "@%s", name);
+if (neg_cache_name == NULL) {
+return ENOMEM;
+}
+
+ret = sss_cache_check_ent(ctx, dom, neg_cache_name,
+  sss_ncache_check_user_int);
+talloc_free(neg_cache_name);
+
+return ret;
+}
+
 int sss_ncache_check_group(struct sss_nc_ctx *ctx, struct sss_domain_info *dom,
const char *name)
 {
@@ -540,6 +558,24 @@ int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent,
 return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_user_int);
 }
 
+int sss_ncache_set_upn(struct sss_nc_ctx *ctx, bool permanent,
+   struct sss_domain_info *dom, const char *name)
+{
+char *neg_cache_name = NULL;
+errno_t ret;
+
+neg_cache_name = talloc_asprintf(ctx, "@%s", name);
+if (neg_cache_name == NULL) {
+return ENOMEM;
+}
+
+ret = sss_ncache_set_ent(ctx, permanent, dom, neg_cache_name,
+ sss_ncache_set_user_int);
+talloc_free(neg_cache_name);
+
+return ret;
+}
+
 int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent,
  struct sss_domain_info *dom, const char *name)
 {
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index 8af736a..782ec14 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -33,6 +33,8 @@ uint32_t sss_ncache_get_timeout(struct sss_nc_ctx *ctx);
 /* check if the user is expired according to the passed in time to live */
 int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom,
   const char *name);
+int

[SSSD] [sssd PR#137][comment] Initial pkinit support

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support

jhrozek commented:
"""
master:
2d527aab0bab0c5323b7ea09c9a8c3820f4f8736
52f45837ded98564968da42229b37db6a36ad627
ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3
82c5971fafe6063a90289ebba08035fc49ae8590
dd17a3aaddab6f122dff3bd15b7005464c07c0ea
f70d946f8cde55b6bdc09345e22849842bca4387
d4757440418c7b73bbecec7e40baf6dfe8cc9460
254f3898cc9fb9d76e12d72a2955906c49748e6d
327a16652bbafbb77b5b90cc7abac3ded7c14364
f561c2bd3c72631ccb7ad6d0b5f6541b27b0922d

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/137#issuecomment-281937886
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][-Accepted] Initial pkinit support

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][closed] Initial pkinit support

2017-02-23 Thread jhrozek

   URL: https://github.com/SSSD/sssd/pull/137
Author: sumit-bose
 Title: #137: Initial pkinit support
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/137/head:pr137
git checkout pr137
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][+Pushed] Initial pkinit support

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][comment] Initial pkinit support

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support

jhrozek commented:
"""
On Wed, Feb 22, 2017 at 09:29:02AM -0800, sumit-bose wrote:
> Thank you for the rigid review,

Since the review took so long, it better be good :-)

> I've fixed the comments move some strucht members to a previous patch to not 
> break the individual compilation.

All my comments were addressed and the patches still work fine. ACK.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/137#issuecomment-281937150
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][+Accepted] Initial pkinit support

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed

2017-02-23 Thread adelton

  URL: https://github.com/SSSD/sssd/pull/165
Title: #165: selinux: Do not fail if SELinux is not managed

adelton commented:
"""
> Did you try building the package for @adelton to see if it fixes the issue he 
> was seeing?

I'll be happy to test either RHEL 7 or Fedora 24 builds, for 
https://bugzilla.redhat.com/show_bug.cgi?id=1415167 reproducer. Copr repo would 
be ideal.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/165#issuecomment-281933170
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#162][+Changes requested] cache_req: use own namespace for UPNs

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/162
Title: #162: cache_req: use own namespace for UPNs

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#162][comment] cache_req: use own namespace for UPNs

2017-02-23 Thread pbrezina

  URL: https://github.com/SSSD/sssd/pull/162
Title: #162: cache_req: use own namespace for UPNs

pbrezina commented:
"""
Hi Sumit, I'm afraid that `cache_req` tests fail now.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/162#issuecomment-281929977
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][+Changes requested] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#165][comment] selinux: Do not fail if SELinux is not managed

2017-02-23 Thread jhrozek

  URL: https://github.com/SSSD/sssd/pull/165
Title: #165: selinux: Do not fail if SELinux is not managed

jhrozek commented:
"""
On Wed, Feb 22, 2017 at 10:20:08AM -0800, mzidek-rh wrote:
> Previously we failed if selinux_is_managed returned
> 0 or -1 (not managed or error). With this patch we
> only fail in case of error and continue normally if
> selinux is not managed by libsemanage at all.
> 
> Resolves:
> https://fedorahosted.org/sssd/ticket/3297
> You can view, comment on, or merge this pull request online at:
> 
>   https://github.com/SSSD/sssd/pull/165

So far I only scrolled through the diff, but it looks OK. Did you try
building the package for @adelton to see if it fixes the issue he was
seeing?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/165#issuecomment-281929604
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

37 matches

Mail list logo