[SSSD] [sssd PR#613][comment] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched fidencio commented: """ @sumit-bose, I've updated the patchset. """ See the full comment at https://github.com/SSSD/sssd/pull/613#issuecomment-403964058 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/S4UM6BYS3PQXVJMQXAJLGO3MOQNWVUG4/
[SSSD] [sssd PR#613][-Changes requested] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/7HLWV4SBJYVIXS5JXX7EYRS45LU7YSVH/
[SSSD] [sssd PR#613][synchronized] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Author: fidencio Title: #613: cache_req: Keep the files provider as the first domain to be searched Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/613/head:pr613 git checkout pr613 From 28b1d6bf51f6c9bf85ec4a59f70143004b2edcb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 9 Jul 2018 12:58:34 +0200 Subject: [PATCH 1/3] cache_req: keep the files provider as the first domain to be searched MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently we can't guarantee any order on which domain will the first to be searched. More than that, in case domain_resolution_order is set, we actually enforce that the first domain searched will respect the option set. This behaviour is not exactly the expect, as the implicit files domain has to be searched first in order to avoid querying for local users in remote domains. In order to enforce this, let's just keep the files domain as the first to be searched, always! Resolves: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by: Fabiano Fidêncio --- src/responder/common/cache_req/cache_req_domain.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c index ad86d1252..d1621cbab 100644 --- a/src/responder/common/cache_req/cache_req_domain.c +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -148,6 +148,7 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, int flag = SSS_GND_ALL_DOMAINS; int i; bool enforce_non_fqnames = false; +bool files_provider = false; errno_t ret; /* Firstly, in case a domains' resolution order is passed ... iterate over @@ -190,6 +191,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, continue; } +files_provider = is_files_provider(dom); + cr_domain = talloc_zero(mem_ctx, struct cache_req_domain); if (cr_domain == NULL) { ret = ENOMEM; @@ -207,11 +210,21 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, * NOTE: we do *not* want to use fully qualified names for the * files provider.*/ if (resolution_order != NULL) { -if (!is_files_provider(cr_domain->domain)) { +if (!files_provider) { sss_domain_info_set_output_fqnames(cr_domain->domain, true); } } +/* The implicit files provider should always be searched firstly, + * doesn't matter whether the domain_resolution_order set! + * + * By doing this we avoid querying other domains for local users. + */ +if (files_provider) { +DLIST_ADD(cr_domains, cr_domain); +continue; +} + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); } From 622f9c855e1ae8fd15581e924ef04b88f30a33b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 10 Jul 2018 11:05:30 +0200 Subject: [PATCH 2/3] tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by: Fabiano Fidêncio --- Makefile.am | 14 ++- src/tests/domain_resolution_order-tests.c | 198 ++ 2 files changed, 211 insertions(+), 1 deletion(-) create mode 100644 src/tests/domain_resolution_order-tests.c diff --git a/Makefile.am b/Makefile.am index 73e40def8..4786639f7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -219,7 +219,8 @@ if HAVE_CHECK ipa_hbac-tests \ sss_idmap-tests \ responder_socket_access-tests \ -safe-format-tests +safe-format-tests \ +domain_resolution_order-tests if BUILD_SSH non_interactive_check_based_tests += sysdb_ssh-tests @@ -2059,6 +2060,17 @@ files_tests_LDADD = \ $(SSSD_INTERNAL_LTLIBS) endif # HAVE_INOTIFY +domain_resolution_order_tests_SOURCES = \ +src/tests/domain_resolution_order-tests.c \ +src/responder/common/cache_req/cache_req_domain.c +domain_resolution_order_tests_CFLAGS = \ +$(AM_CFLAGS) \ +$(CHECK_CFLAGS) +domain_resolution_order_tests_LDADD = \ +$(CHECK_LIBS) \ +libsss_test_common.la \ +$(SSSD_INTERNAL_LTLIBS) + SSSD_RESOLV_TESTS_OBJ = \ $(SSSD_RESOLV_OBJ) diff --git a/src/tests/domain_resolution_order-tests.c b/src/tests/domain_resolution_order-tests.c new file mode 100644 index 0..79a63c568 --- /dev/null +++ b/src/tests/domain_resolution_order-tests.c @@ -0,0 +1,198 @@ +/* +Authors: +Fabiano Fidêncio + +Copyright (C) 2018 Red Hat + +SSSD tests: Domain
[SSSD] [sssd PR#612][comment] crypto: Silence a Coverity warning in sss_hmac_sha1()
URL: https://github.com/SSSD/sssd/pull/612 Title: #612: crypto: Silence a Coverity warning in sss_hmac_sha1() sumit-bose commented: """ Thanks, I'll do a CI an Coverity run before sending the ACK. """ See the full comment at https://github.com/SSSD/sssd/pull/612#issuecomment-403911646 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/AOFJEKSBW53JXBZZ6MZN5JUCS56IYJJK/
[SSSD] [sssd PR#611][comment] Do not build the local provider by default
URL: https://github.com/SSSD/sssd/pull/611 Title: #611: Do not build the local provider by default pbrezina commented: """ > Thanks, this is a good start. We also want to remove the whole pysss.local > interface and don't build the sss_* tools like sss_useradd and so on. > > If you want to remove the usage of the local provider from tests, does it > make sense to keep the code at all using the is_local_provider functions? > Remember the code is not lost forever, we can always ressurect it from git > history. > > btw I'm not sold either way myself, on one hand the local provider might be > handy for tests, on the other hand I haven't used it in a long time myself. > So I would not be completely mad if it goes away. Definitely drop all the code related to local provider. It makes the code complicated since it is a special case. It is also very easy to forget it. If it will be needed again, we can implement a simple backend for local provider just returning EOK from the dbus handlers. But I have literally never used it for testing ever. In addition, it does not really tests anything today since it never goes to backend and requires special casing in responders. """ See the full comment at https://github.com/SSSD/sssd/pull/611#issuecomment-403879182 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/XPVIHOOBNV4Y6EQDB2KKMMNOBBN4UPE3/
[SSSD] [sssd PR#595][+Pushed] sudo: allow use of default domain suffix (sssd-1-13)
URL: https://github.com/SSSD/sssd/pull/595 Title: #595: sudo: allow use of default domain suffix (sssd-1-13) Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/MZQ5MGW53AYTWUOR3RNPTGMTOZNU6MRZ/
[SSSD] [sssd PR#595][closed] sudo: allow use of default domain suffix (sssd-1-13)
URL: https://github.com/SSSD/sssd/pull/595 Author: pbrezina Title: #595: sudo: allow use of default domain suffix (sssd-1-13) Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/595/head:pr595 git checkout pr595 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/S3BWV7OYQA7KFLPMDAUE4CK5KT4K7Z5H/
[SSSD] [sssd PR#595][comment] sudo: allow use of default domain suffix (sssd-1-13)
URL: https://github.com/SSSD/sssd/pull/595 Title: #595: sudo: allow use of default domain suffix (sssd-1-13) jhrozek commented: """ * sssd-1-13: 5f234f231e5293a255fd9d864561d77091f5bcb6 """ See the full comment at https://github.com/SSSD/sssd/pull/595#issuecomment-403873819 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/RF42XJWUPYZORW7BLV2GXAVX6R6A6BUX/
[SSSD] [sssd PR#595][comment] sudo: allow use of default domain suffix (sssd-1-13)
URL: https://github.com/SSSD/sssd/pull/595 Title: #595: sudo: allow use of default domain suffix (sssd-1-13) jhrozek commented: """ The tests passed, I just forgot to push the patch to sssd-1-13.. """ See the full comment at https://github.com/SSSD/sssd/pull/595#issuecomment-403873254 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/QN5MO6JXBBTNPMWO4OMYCUQGTUNTPNZF/
[SSSD] [sssd PR#595][+Accepted] sudo: allow use of default domain suffix (sssd-1-13)
URL: https://github.com/SSSD/sssd/pull/595 Title: #595: sudo: allow use of default domain suffix (sssd-1-13) Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/44MEIHHEZJA5DH4PGLLS6BTXJLIPOJEL/
[SSSD] [sssd PR#614][comment] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out
URL: https://github.com/SSSD/sssd/pull/614 Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of bailing out fidencio commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/614#issuecomment-403871241 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/FN76ZGEDZGY3Z4KLN47UCWRKZFYSRUKG/
[SSSD] [sssd PR#614][comment] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out
URL: https://github.com/SSSD/sssd/pull/614 Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of bailing out centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/614#issuecomment-403867722 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/B2M54BM4ZWTT5FWAZ7OVOFEO2ICFHSY2/
[SSSD] [sssd PR#614][comment] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out
URL: https://github.com/SSSD/sssd/pull/614 Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of bailing out centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/614#issuecomment-403867723 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/KCE4AR22AQXEKR2NKISVFLTE3NTX44Z2/
[SSSD] [sssd PR#614][opened] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out
URL: https://github.com/SSSD/sssd/pull/614 Author: asheplyakov Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of bailing out Action: opened PR body: """ Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no domain controllers in the domain D2 can be reached at the moment (and there are no cached info). As of now initgroups won't assign any groups at all. To improve the behavior skip the incomplete groups so initgroup assigns at least some groups (D1\A, D1\B in the above example). """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/614/head:pr614 git checkout pr614 From 4715b03dc7d5ad980cf0c3b8a7ae2823b30acbce Mon Sep 17 00:00:00 2001 From: Alexey Sheplyakov Date: Tue, 10 Jul 2018 14:51:15 + Subject: [PATCH] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no domain controllers in the domain D2 can be reached at the moment (and there are no cached info). As of now initgroups won't assign any groups at all. To improve the behavior skip the incomplete groups so initgroup assigns at least some groups (D1\A, D1\B in the above example). --- src/responder/nss/nss_protocol_grent.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index b89ce2bc5..a697e86ef 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -365,11 +365,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, if (posix != NULL && strcmp(posix, "FALSE") == 0) { continue; } else { -DEBUG(SSSDBG_CRIT_FAILURE, +DEBUG(SSSDBG_MINOR_FAILURE, "Incomplete group object [%s] for initgroups! " - "Aborting.\n", ldb_dn_get_linearized(msg->dn)); -ret = EINVAL; -goto done; + "Skipping.\n", ldb_dn_get_linearized(msg->dn)); +continue; } } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/GM5UWIZSZCZ765JAWURE2YUDZUWB2BXE/
[SSSD] [sssd PR#613][comment] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched fidencio commented: """ And make-check-valgrind is failing. Let me add the "Changes Requested" label again. """ See the full comment at https://github.com/SSSD/sssd/pull/613#issuecomment-403839339 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/SON3HM2GKTEIDNVJPTHOZ3D7L74GAQEV/
[SSSD] [sssd PR#613][+Changes requested] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/I33H2VS6DJTCJPZOESCXPAUZFOQK3QL6/
[SSSD] [sssd PR#613][comment] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched fidencio commented: """ @sumit-bose, I've updated the patchset. Changes since last version: - rebased atop of git master; - making use of is_files_provider() call that was pushed Today; - wrote tests for the changes in this patchset; - wrote tests for another issue fixed some time ago (https://pagure.io/SSSD/sssd/issue/3743); """ See the full comment at https://github.com/SSSD/sssd/pull/613#issuecomment-403808818 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/PPNXJNIKR5BBUDOBDYVEBKY2N3HT5JS5/
[SSSD] [sssd PR#613][-Changes requested] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Title: #613: cache_req: Keep the files provider as the first domain to be searched Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/75DLFQNMEVRUZ5UNEPBGTWOWX4SXOKNY/
[SSSD] [sssd PR#613][synchronized] cache_req: Keep the files provider as the first domain to be searched
URL: https://github.com/SSSD/sssd/pull/613 Author: fidencio Title: #613: cache_req: Keep the files provider as the first domain to be searched Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/613/head:pr613 git checkout pr613 From 28b1d6bf51f6c9bf85ec4a59f70143004b2edcb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 9 Jul 2018 12:58:34 +0200 Subject: [PATCH 1/3] cache_req: keep the files provider as the first domain to be searched MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently we can't guarantee any order on which domain will the first to be searched. More than that, in case domain_resolution_order is set, we actually enforce that the first domain searched will respect the option set. This behaviour is not exactly the expect, as the implicit files domain has to be searched first in order to avoid querying for local users in remote domains. In order to enforce this, let's just keep the files domain as the first to be searched, always! Resolves: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by: Fabiano Fidêncio --- src/responder/common/cache_req/cache_req_domain.c | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c index ad86d1252..d1621cbab 100644 --- a/src/responder/common/cache_req/cache_req_domain.c +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -148,6 +148,7 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, int flag = SSS_GND_ALL_DOMAINS; int i; bool enforce_non_fqnames = false; +bool files_provider = false; errno_t ret; /* Firstly, in case a domains' resolution order is passed ... iterate over @@ -190,6 +191,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, continue; } +files_provider = is_files_provider(dom); + cr_domain = talloc_zero(mem_ctx, struct cache_req_domain); if (cr_domain == NULL) { ret = ENOMEM; @@ -207,11 +210,21 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, * NOTE: we do *not* want to use fully qualified names for the * files provider.*/ if (resolution_order != NULL) { -if (!is_files_provider(cr_domain->domain)) { +if (!files_provider) { sss_domain_info_set_output_fqnames(cr_domain->domain, true); } } +/* The implicit files provider should always be searched firstly, + * doesn't matter whether the domain_resolution_order set! + * + * By doing this we avoid querying other domains for local users. + */ +if (files_provider) { +DLIST_ADD(cr_domains, cr_domain); +continue; +} + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); } From d9786a565a2a5583e887a360ca79f865b04dd1aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 10 Jul 2018 11:05:30 +0200 Subject: [PATCH 2/3] tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related: https://pagure.io/SSSD/sssd/issue/3768 Signed-off-by: Fabiano Fidêncio --- Makefile.am | 14 ++- src/tests/domain_resolution_order-tests.c | 193 ++ 2 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 src/tests/domain_resolution_order-tests.c diff --git a/Makefile.am b/Makefile.am index 73e40def8..4786639f7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -219,7 +219,8 @@ if HAVE_CHECK ipa_hbac-tests \ sss_idmap-tests \ responder_socket_access-tests \ -safe-format-tests +safe-format-tests \ +domain_resolution_order-tests if BUILD_SSH non_interactive_check_based_tests += sysdb_ssh-tests @@ -2059,6 +2060,17 @@ files_tests_LDADD = \ $(SSSD_INTERNAL_LTLIBS) endif # HAVE_INOTIFY +domain_resolution_order_tests_SOURCES = \ +src/tests/domain_resolution_order-tests.c \ +src/responder/common/cache_req/cache_req_domain.c +domain_resolution_order_tests_CFLAGS = \ +$(AM_CFLAGS) \ +$(CHECK_CFLAGS) +domain_resolution_order_tests_LDADD = \ +$(CHECK_LIBS) \ +libsss_test_common.la \ +$(SSSD_INTERNAL_LTLIBS) + SSSD_RESOLV_TESTS_OBJ = \ $(SSSD_RESOLV_OBJ) diff --git a/src/tests/domain_resolution_order-tests.c b/src/tests/domain_resolution_order-tests.c new file mode 100644 index 0..d074e0c68 --- /dev/null +++ b/src/tests/domain_resolution_order-tests.c @@ -0,0 +1,193 @@ +/* +Authors: +Fabiano Fidêncio + +Copyright (C) 2018 Red Hat + +SSSD tests: Domain
[SSSD] [sssd PR#607][closed] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Author: fidencio Title: #607: Do not apply override_homedir and override_shell to files provider Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/607/head:pr607 git checkout pr607 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/72WEGVUY2OGZBHW5DQOKAK5RXQEHJ6KI/
[SSSD] [sssd PR#607][+Pushed] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Title: #607: Do not apply override_homedir and override_shell to files provider Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/YSE2AFZON7OJZK7ASIPDQWCHMGD7CUWY/
[SSSD] [sssd PR#607][comment] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Title: #607: Do not apply override_homedir and override_shell to files provider jhrozek commented: """ * master: 2373df99b9ff166bcbdb0c69fe5e28bd32ea43bf 024c1b3ae419791b2382db97c1a3d4ceca3ad3cd fe48bc32d11743a6302d2a97d4120d787e68e37d 241594613f3ef3b428851a7866905e41c967b893 3b19518f18f59cc4fe23625ccfbede62992ef172 ded46b7b7bea7ed6454adca2179e2347609a3321 """ See the full comment at https://github.com/SSSD/sssd/pull/607#issuecomment-403794111 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/U7SYRY6SITALXH2C3UVRVGTDMWYXSAWU/
[SSSD] [sssd PR#609][closed] SUDO: Don't save duplicates when saving qualified names
URL: https://github.com/SSSD/sssd/pull/609 Author: jhrozek Title: #609: SUDO: Don't save duplicates when saving qualified names Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/609/head:pr609 git checkout pr609 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/C2ULCRRDTHBSUHLYTIU7KPCUX4R2QIPI/
[SSSD] [sssd PR#609][comment] SUDO: Don't save duplicates when saving qualified names
URL: https://github.com/SSSD/sssd/pull/609 Title: #609: SUDO: Don't save duplicates when saving qualified names jhrozek commented: """ * master: e75601bfe8475e4c1f821255a3f80c0a5d30f2be 5d838e13351d3062346ca449e00845750b9447da b14cb238c5fe737c33e271f8ca5bef8f8c6e0238 074a9ea7b443b25bf27b4cf8e647a3e9b11363d8 4991e467c59cb1646c957f0037016a71c2fbc1bc """ See the full comment at https://github.com/SSSD/sssd/pull/609#issuecomment-403792571 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/MH45NVES5XGLYRFVCSPM7ANGMV5CHPDD/
[SSSD] [sssd PR#609][+Pushed] SUDO: Don't save duplicates when saving qualified names
URL: https://github.com/SSSD/sssd/pull/609 Title: #609: SUDO: Don't save duplicates when saving qualified names Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/2UHBRIVW4CM23DGQIBIQM2NZ42RVTTFX/
[SSSD] [sssd PR#610][+Pushed] AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes
URL: https://github.com/SSSD/sssd/pull/610 Title: #610: AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/DMVWZ2SUXKBYBEUWUEIS2YUMHC2IX4GS/
[SSSD] [sssd PR#610][closed] AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes
URL: https://github.com/SSSD/sssd/pull/610 Author: jhrozek Title: #610: AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/610/head:pr610 git checkout pr610 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/3RTWUFQX2JW2QRFGD4YGNFMJQZHUCDQ7/
[SSSD] [sssd PR#610][comment] AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes
URL: https://github.com/SSSD/sssd/pull/610 Title: #610: AD: consult the Partial Attribute Set instead of searching the GC for POSIX attributes jhrozek commented: """ * master: * 5b2b6493dfb3c1f2cb945356e34c70d8c5d64185 * 8d78119811e2572bb1a05da5abb7c5a2d43d1f97 * 4273ac0490eeef72d2daa0c7f6cee80d65b6b34d * ba96e7b839b875946f03787a3a57f259230a0fef * c8d1c1b734a1763b3e1233f060cc5c8d6db078e9 """ See the full comment at https://github.com/SSSD/sssd/pull/610#issuecomment-403790501 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/75BEZD4I2537BHDCUTVKPDKIO6R2DWLK/
[SSSD] [sssd PR#607][+Accepted] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Title: #607: Do not apply override_homedir and override_shell to files provider Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/S3HI7ORMELTYCTDAW7PG7IJQCBKXG5KN/
[SSSD] [sssd PR#611][comment] Do not build the local provider by default
URL: https://github.com/SSSD/sssd/pull/611 Title: #611: Do not build the local provider by default jhrozek commented: """ About the sysdb tests, can you paste what issues you faced here? Or push a branch? I could see issues with not matching number of groups returned because the local provider is mpg-enabled by default, but I don't know what the issue with users could be. """ See the full comment at https://github.com/SSSD/sssd/pull/611#issuecomment-403767914 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/JTJYWDLNS775H6F2FPEEBHVPF2CEVZO3/
[SSSD] [sssd PR#611][comment] Do not build the local provider by default
URL: https://github.com/SSSD/sssd/pull/611 Title: #611: Do not build the local provider by default jhrozek commented: """ btw I'm not sold either way myself, on one hand the local provider might be handy for tests, on the other hand I haven't used it in a long time myself. So I would not be completely mad if it goes away. """ See the full comment at https://github.com/SSSD/sssd/pull/611#issuecomment-403766637 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/MOUYY5PRICQWREJGF72KFMCJMFGSZQUH/
[SSSD] [sssd PR#611][comment] Do not build the local provider by default
URL: https://github.com/SSSD/sssd/pull/611 Title: #611: Do not build the local provider by default jhrozek commented: """ Thanks, this is a good start. We also want to remove the whole pysss.local interface and don't build the `sss_*` tools like `sss_useradd` and so on. If you want to remove the usage of the local provider from tests, does it make sense to keep the code at all using the is_local_provider functions? Remember the code is not lost forever, we can always ressurect it from git history. """ See the full comment at https://github.com/SSSD/sssd/pull/611#issuecomment-403766316 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/DLHWRJSF5ST7673ODL7FDL7IM7N6L23S/
[SSSD] [sssd PR#607][synchronized] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Author: fidencio Title: #607: Do not apply override_homedir and override_shell to files provider Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/607/head:pr607 git checkout pr607 From 6f1b1cea4da20a16b1cfea8302d950d03651867c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 26 Jun 2018 19:40:29 +0200 Subject: [PATCH 1/6] files: do not apply override_homedir to files provider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit override_homedir should not be applied to files provider as the provider should always return *only* what's in the files and nothing else. Resolves: https://pagure.io/SSSD/sssd/issue/3758 Signed-off-by: Fabiano Fidêncio --- src/confdb/confdb.c| 4 +++- src/responder/nss/nss_protocol_pwent.c | 21 + 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 5b4cbec8e..c330586e5 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1283,7 +1283,9 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_NSS_OVERRIDE_HOMEDIR, NULL); -if (tmp != NULL) { +/* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. */ +if (tmp != NULL && strcasecmp(domain->provider, "files") != 0) { domain->override_homedir = talloc_strdup(domain, tmp); if (!domain->override_homedir) { ret = ENOMEM; diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index f449ec69b..af9e74fc8 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -65,15 +65,20 @@ nss_get_homedir_override(TALLOC_CTX *mem_ctx, homedir_ctx->config_homedir_substr = nctx->homedir_substr; } -/* Check whether we are unconditionally overriding the server - * for home directory locations. +/* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. */ -if (dom->override_homedir) { -return expand_homedir_template(mem_ctx, dom->override_homedir, - dom->case_preserve, homedir_ctx); -} else if (nctx->override_homedir) { -return expand_homedir_template(mem_ctx, nctx->override_homedir, - dom->case_preserve, homedir_ctx); +if (strcasecmp(dom->provider, "files") != 0) { +/* Check whether we are unconditionally overriding the server + * for home directory locations. + */ +if (dom->override_homedir) { +return expand_homedir_template(mem_ctx, dom->override_homedir, + dom->case_preserve, homedir_ctx); +} else if (nctx->override_homedir) { +return expand_homedir_template(mem_ctx, nctx->override_homedir, + dom->case_preserve, homedir_ctx); +} } if (!homedir || *homedir == '\0') { From a193d1b321b3611c2cfa5432e47b1e27fe027015 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 27 Jun 2018 12:59:06 +0200 Subject: [PATCH 2/6] tests: add override_homedir tests for files provider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: http://pagure.io/SSSD/sssd/issue/3758 Signed-off-by: Fabiano Fidêncio --- src/tests/intg/test_files_provider.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py index 5c95c68d2..dac41b196 100644 --- a/src/tests/intg/test_files_provider.py +++ b/src/tests/intg/test_files_provider.py @@ -310,6 +310,25 @@ def domain_resolution_order(request): return None +@pytest.fixture +def override_homedir(request): +conf = unindent("""\ +[sssd] +domains = files +services= nss + +[domain/files] +id_provider = files +override_homedir = /test/bar + +[nss] +override_homedir = /test/foo +""").format(**locals()) +create_conf_fixture(request, conf) +create_sssd_fixture(request) +return None + + def setup_pw_with_list(request, user_list): pwd_ops = passwd_ops_setup(request) for user in user_list: @@ -1198,3 +1217,10 @@ def test_files_with_domain_resolution_order(add_user_with_canary, its fully-qualified name. """ check_user(USER1) + + +def test_files_with_override_homedir(add_user_with_canary, + override_homedir): +res, user = sssd_getpwnam_sync(USER1["name"]) +
[SSSD] [sssd PR#607][comment] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Title: #607: Do not apply override_homedir and override_shell to files provider fidencio commented: """ Done! """ See the full comment at https://github.com/SSSD/sssd/pull/607#issuecomment-403755674 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/JT6S3UAIGDL2UES6HSLW7OWRY54ET5XT/
[SSSD] [sssd PR#607][comment] Do not apply override_homedir and override_shell to files provider
URL: https://github.com/SSSD/sssd/pull/607 Title: #607: Do not apply override_homedir and override_shell to files provider jhrozek commented: """ Thanks for the quick turnaround, now really the last thing, can you move the definition of is_files_provider from utils.c to domain_info_utils.c so that we keep all the domain-related functions on one place? (The declaration can stay in util.h). """ See the full comment at https://github.com/SSSD/sssd/pull/607#issuecomment-403749486 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/TCY6LNTNLBR5W5XG4RBYFDS7QUXQB5PR/