[SSSD] Re: [PATCH] Netlink: Ignore RTM_NEWADDR signals from link-local

[Lukas Slebodnik]

On (06/04/16 15:38), Jakub Hrozek wrote:
>On Wed, Apr 06, 2016 at 03:16:20PM +0200, Jakub Hrozek wrote:
>> On Wed, Apr 06, 2016 at 08:39:39AM -0400, Stephen Gallagher wrote:
>> > 
>> > 
>> > > On Apr 6, 2016, at 8:37 AM, Jakub Hrozek  wrote:
>> > > 
>> > >> On Tue, Apr 05, 2016 at 02:34:33PM -0400, Stephen Gallagher wrote:
>> > >> We only need to go online if we receive a netlink signal that might
>> > >> indicate that the external connection might have become available. This
>> > >> will never be true for link-local addresses.
>> > >> 
>> > > 
>> > > The indentation of DEBUG messages is a bit off on two of places. I fixed
>> > > them locally, if you agree, I would like to push:
>> > >
>> > > https://github.com/jhrozek/sssd/commit/818eada2a68b6c9cff9eb3285ff6126ba4032e31
>> > > 
>> > > (Just the intentation changed, nothing else..)
>> > 
>> > 
>> > Fine by me.
>> 
>> OK, ACK
>> 
>> Thank you for the patch and the investigation!
>
>CI: http://sssd-ci.duckdns.org/logs/job/40/75/summary.html
>
>btw I tested by bringing up and down the loopback interface and making
>sure that addresses like ::1 are filtered out.
>
>* master: a9d1b4b61b614a954c784f224b8fe7a47b6dd206
Stephen,

I think you would like to have this patch in fedora 24 :-)
I can backport this patch just to fedora if you file a BZ
or we can backport this patch to 1.13 branch
and it will be in fedora with next release (1.13.4)
which should be next week.

What do you prefer?

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] test_ipa_subdom_server: Workaround for slow krb5 + SELinux

[Lukas Slebodnik]

On (07/04/16 09:20), Lukas Slebodnik wrote:
>On (06/04/16 18:44), Jakub Hrozek wrote:
>>On Tue, Mar 15, 2016 at 04:47:50PM +0100, Lukas Slebodnik wrote:
>>> ehlo,
>>> 
>>> There were failures[1] on rhel6 machine with latest packages.
>>> it took me a while to find out which package cuaed it.
>>> Therefore I downgraded rhel machine to vanilla rhel6.7
>>> and I was troubleshooting it on different machine.
>>> 
>>> The failures of test_ipa_subdom_server are caused by fixing
>>> memory leak in krb5[2]. BTW there is also plan to fix it in rhel7[3]
>>> 
>>> sh$ time libtool --mode=execute ./test_ipa_subdom_server
>>> 
>>> enabled/permissive SELinux
>>> real0m7.976s
>>> user0m6.680s
>>> sys 0m0.189s
>>> 
>>> disabled SELinux
>>> real0m2.111s
>>> user0m0.071s
>>> sys 0m0.043s
>>> 
>>> valgrind + enabled/permissive SELinux //but test failed.
>>> real2m7.310s
>>> user2m17.080s
>>> sys 0m0.786s
>>> 
>>> valgrind + disabled SELinux
>>> real0m5.510s
>>> user0m3.396s
>>> sys 0m0.309s
>>> 
>>> Attached patch "emulates" disabled SELinux.
>>> If we do not want to do that for unit test than we need to increase
>>> few timeouts.
>>> diff --git a/src/providers/ipa/ipa_subdomains_server.c 
>>> b/src/providers/ipa/ipa_subdomains_server.c
>>> index f279efc..7d8b3d3 100644
>>> --- a/src/providers/ipa/ipa_subdomains_server.c
>>> +++ b/src/providers/ipa/ipa_subdomains_server.c
>>> @@ -124,7 +124,7 @@ const char *ipa_trust_dir2str(uint32_t direction)
>>>  }
>>> 
>>>  #ifndef IPA_GETKEYTAB_TIMEOUT
>>> -#define IPA_GETKEYTAB_TIMEOUT 15
>>> +#define IPA_GETKEYTAB_TIMEOUT 5
>>>  #endif /* IPA_GETKEYTAB_TIMEOUT */
>>> 
>>>  static struct ad_options *
>>> diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c 
>>> b/src/tests/cmocka/test_ipa_subdomains_server.c
>>> index d1e0945..3c40f04 100644
>>> --- a/src/tests/cmocka/test_ipa_subdomains_server.c
>>> +++ b/src/tests/cmocka/test_ipa_subdomains_server.c
>>> @@ -508,7 +508,7 @@ static void test_ipa_server_trust_init(void **state)
>>>  ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
>>>  assert_int_equal(ret, EOK);
>>> 
>>> -tv = tevent_timeval_current_ofs(15, 0);
>>> +tv = tevent_timeval_current_ofs(1, 0);
>>>  timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
>>> ipa_server_init_done, test_ctx);
>>>  assert_non_null(timeout_handler);
>>> @@ -849,7 +849,7 @@ static void test_ipa_server_trust_oneway_init(void 
>>> **state)
>>>  ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
>>>  assert_int_equal(ret, EOK);
>>> 
>>> -tv = tevent_timeval_current_ofs(15, 0);
>>> +tv = tevent_timeval_current_ofs(1, 0);
>>>  timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
>>> ipa_server_init_done, test_ctx);
>>>  assert_non_null(timeout_handler);
>>> 
>>> 
>>> Lower values caused intermittent failures.
>>> 
>>> Here are execution times after changing timeouts.
>>> 
>>> valgrind + enabled/permissive SELinux
>>> real3m5.812s
>>> user2m59.929s
>>> sys 0m1.071s
>>> 
>>> valgrind + disabled SELinux
>>> real0m33.541s
>>> user0m3.392s
>>> sys 0m0.322s
>>> 
>>> disabled SELinux
>>> real0m30.134s
>>> user0m0.069s
>>> sys 0m0.040s
>>> 
>>> enabled/permissive SELinux
>>> real0m36.014s
>>> user0m6.768s
>>> sys 0m0.155s
>>> 
>>> LS
>>> 
>>> [1] http://sssd-ci.duckdns.org/logs/job/39/10/summary.html
>>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1311287
>>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1313457
>>
>>> From 90516358f0a87f7f35dc60e9cb7006f97ff578bd Mon Sep 17 00:00:00 2001
>>> From: Lukas Slebodnik 
>>> Date: Tue, 15 Mar 2016 16:14:23 +0100
>>> Subject: [PATCH] test_ipa_subdom_server: Workaround for slow krb5 + SELinux
>>> 
>>
>>> diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c 
>>> b/src/tests/cmocka/test_ipa_subdomains_server.c
>>> index 
>>> 3c40f04e3712b22ffc497e08a5b8f38921f4b8b1..0fddc951894dee45658497851473b9bddbba0ef7
>>>  100644
>>> --- a/src/tests/cmocka/test_ipa_subdomains_server.c
>>> +++ b/src/tests/cmocka/test_ipa_subdomains_server.c
>>> @@ -69,6 +69,26 @@
>>>  
>>>  static bool global_rename_called;
>>>  
>>> +#ifdef HAVE_SELINUX
>>> +/* Provide faster implementation of kerberos function
>>> + * krb5int_labeled_[f]?open. Real functions take care also
>>> + * about SELinux context which is very expensive operation
>>> + * and cause failures due to timeout when executing with valgrind.
>>> + * It's approximately 40 times slower with real function
>>> + */
>>> +FILE *
>>> +krb5int_labeled_fopen(const char *path, const char *mode)
>>> +{
>>> +return fopen(path, mode);
>>> +}
>>> +
>>> +int
>>> +krb5int_labeled_open(const char *path, int flags, mode_t mode)
>>> +{
>>> +return open(path, flags, mode);
>>> +}
>>> +#endif /* HAVE_SELINUX */
>>> +
>>
>>This patch 

[SSSD] Re: [PATCH] AD: Recognize Windows Server 2016

[Lukas Slebodnik]

On (06/04/16 15:30), Jakub Hrozek wrote:
>Hi,
>
>I was doing a smoke-test with Windows Server 2016 after receiving
>several requests from users (mainly about IDMU deprecation) and find out
>that WS 2016 reports a higher Domain Compatibility level.
>
>Even though that Windows Server release is not officially out yet and
>the documentation hasn't been amended yet at:
>https://msdn.microsoft.com/en-us/library/cc223272.aspx
>I think we could merge this patch without breaking anything.
I think too :-)

ACK

http://sssd-ci.duckdns.org/logs/job/40/87/summary.html
Do we want this patch also in stable branch?

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] AD: Recognize Windows Server 2016

[Lukas Slebodnik]

On (07/04/16 09:12), Lukas Slebodnik wrote:
>On (06/04/16 15:30), Jakub Hrozek wrote:
>>Hi,
>>
>>I was doing a smoke-test with Windows Server 2016 after receiving
>>several requests from users (mainly about IDMU deprecation) and find out
>>that WS 2016 reports a higher Domain Compatibility level.
>>
>>Even though that Windows Server release is not officially out yet and
>>the documentation hasn't been amended yet at:
>>https://msdn.microsoft.com/en-us/library/cc223272.aspx
>>I think we could merge this patch without breaking anything.
>I think too :-)
>
>ACK
>
master:
* c6fb6dbdfc3084c870714a8782d2bf89d8aec209

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] memberof: Fix a memory leak when removing ghost users

[Lukas Slebodnik]

On (06/04/16 18:38), Jakub Hrozek wrote:
>Hi,
>
>I'm sorry I didn't catch this when I developed the original patch, but
>today I was trying to write the leak patches as Lukas suggested the
>other day..I haven't succeeded at that yet, but I found another leak.
>
Even if you will not able to write a test your effort has some outcome.
I glad my idea was not useless.

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] GPO_CHILD: Create directories in gpo_cache with right permissions

[Lukas Slebodnik]

On (06/04/16 16:14), Jakub Hrozek wrote:
>On Fri, Apr 01, 2016 at 03:18:25PM +0200, Lukas Slebodnik wrote:
>> On (03/03/16 13:50), Lukas Slebodnik wrote:
>> >ehlo,
>> >
>> >review is appreciated.
>> Bump
>> 
>> LS
>
>I'm sorry for the late review. The patches seem to work fine, without
>them, I was seeing:
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 [prepare_gpo_cache] 
>(0x0020): 
>mkdir(/var/lib/sss/gpo_cache/win.trust.test/Policies/{D481A0E6-73EA-4CEA-9197-B70014D851D9})
> failed: 13
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 [gpo_cache_store_file] 
>(0x0020): prepare_gpo_cache failed [13][Permission denied]
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 [gpo_cache_store_file] 
>(0x0020): Error encountered: 13.
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 
>[copy_smb_file_to_gpo_cache] (0x0020): gpo_cache_store_file failed 
>[13][Permission denied]
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 [perform_smb_operations] 
>(0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
>(Wed Apr  6 14:11:20 2016) [[sssd[gpo_child[24569 [main] (0x0020): 
>perform_smb_operations failed.[13][Permission denied].
>
>GPO works fine after applying the patches (and removing the directories
>with the faulty permissions)
>
>ACK
master:
* d0e0cf6ee47ab538efc47c7882f498f1b5e0f0c7
* 192126738fa82c5624f4740147426c552126c602

sssd-1-13:
* 0060bfb03ae7678617accf61b45a13d625697cee
* df1a928455d0e5892ec129589f74e1704f66f201

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] SPEC: Run extra unit tests with epel

[Lukas Slebodnik]

On (06/04/16 17:47), Jakub Hrozek wrote:
>On Wed, Apr 06, 2016 at 05:10:02PM +0200, Jakub Hrozek wrote:
>> On Fri, Apr 01, 2016 at 03:17:00PM +0200, Lukas Slebodnik wrote:
>> > On (31/03/16 09:46), Lukas Slebodnik wrote:
>> > >On (18/03/16 17:53), Lukas Slebodnik wrote:
>> > >>On (17/03/16 23:17), Jakub Hrozek wrote:
>> > >>>On Mon, Mar 07, 2016 at 04:12:00PM +0100, Lukas Slebodnik wrote:
>> >  ehlo,
>> >  
>> >  simple patch is attached.
>> >  
>> >  LS
>> > >>>
>> > >>>Garbage-collecting easy patches untouched for a week or more..
>> > >>>
>> > >>>The patch looks good and according to:
>> > >>>
>> > >>> http://sssd-ci.duckdns.org/logs/job/39/61/rhel6/ci-build-debug/ci-make-check-valgrind.log
>> > >>It should not be related to the patch.
>> > >>
>> > >I look deeply into the issue and it isn't realted to my patch.
>> > >It's caused by slow down caused by valgrind.
>> > >
>> > >[==] Running 3 test(s).
>> > >[ RUN  ] test_run_as_root_fg
>> > >[   OK ] test_run_as_root_fg
>> > >[ RUN  ] test_run_as_sssd_fg
>> > >[   OK ] test_run_as_sssd_fg
>> > >[ RUN  ] test_run_as_root_daemon
>> > >killing 7393
>> > >[   OK ] test_run_as_root_daemon
>> > >[==] 3 test(s) run.
>> > >[  PASSED  ] 3 test(s).
>> > >PASS: server-tests
>> > >As you can see test passed here. Because test_run_as_root_daemon
>> > >check only creation of pid file and does not wait for full initialisation
>> > >of server.
>> > >
>> > >(Thu Mar 17 07:49:13:826379 2016) [test_run_as_root_daemon] [ldb] 
>> > >(0x0020): Unable to open tdb 'server_tests/config.ldb'(Thu Mar 17 
>> > >07:49:13:899494 2016) [test_run_as_root_daemon] [ldb] (0x0020): Failed to 
>> > >connect to 'server_tests/config.ldb' with backend 'tdb': Unable to open 
>> > >tdb 'server_tests/config.ldb'(Thu Mar 17 07:49:13:901723 2016) 
>> > >[test_run_as_root_daemon] [confdb_init] (0x0010): Unable to open config 
>> > >database [server_tests/config.ldb]
>> > >(Thu Mar 17 07:49:13:905037 2016) [test_run_as_root_daemon] 
>> > >[server_setup] (0x0010): The confdb initialization failed
>> > >0x5 != 0
>> > >/var/lib/jenkins/workspace/ci/label/rhel6/src/tests/cwrap/test_server.c:154:
>> > > error: Failure!
>> > >
>> > >[  FAILED  ] test_run_as_root_daemon
>> > >[==] 3 test(s) run.
>> > >[  PASSED  ] 2 test(s).
>> > >[  FAILED  ] 1 test(s), listed below:
>> > >[  FAILED  ] test_run_as_root_daemon
>> > >
>> > >The failure is in child process due to race condition caused by slow 
>> > >execution.
>> > >
>> > >The parent process in server-tests sent SIGTERM signal to child process.
>> > >You can see a message "killing 7393" few lines before.
>> > >But child process tried to initialize confdb even though it isn't 
>> > >necessary
>> > >here for this case.
>> > >
>> > >It isn't problem without valgrind becuase child process is fast enough.
>> > >
>> > >One solution can be to send SIGKILL to child process as part of cleanup
>> > >in test_run_as_root_daemon. But that's not related to this patch :-)
>> > >
>> > >>You should look into build.log in ci-mock-result.
>> > >>
>> > >>However I could not see cmocka tests executed there.
>> > >>Are you sure you provided link to build with this patch?
>> > >>
>> > >And now back to epel change in spec file.
>> > >
>> > >I could not see cmocka test executed in mock build output
>> > >because "%{epel}" macro was not defined in epel6. It is
>> > >only defined in epel7.
>> > >
>> > >You can compare following build logs
>> > >http://sssd-ci.duckdns.org/logs/job/39/61/rhel7/ci-build-debug/ci-mock-result/build.log
>> > >http://sssd-ci.duckdns.org/logs/job/39/61/rhel6/ci-build-debug/ci-mock-result/build.log
>> > >
>> > >However, fixed version of epel-rpm-macros-6-6 will be in testing
>> > >in few hours :-)
>> > >https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7c8a4eb5b6
>> > >
>> > Simplified version of spec file is attached.
>> > 
>> > LS
>> 
>> I tested the patch with a local mock build and saw all tests pass,
>> including cwrap-powered tests.
>> 
>> Thank you, ACK.
>> 
>> Will push when CI finished.
>
>CI: http://sssd-ci.duckdns.org/logs/job/40/78/summary.html
master:
* 6373d0111ee2e820d6e534d1a8b99de8587d08de

sssd-1-13:
* 0befc9ae024cf8c9a2d42ab21591699e659dd420

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] test_ipa_subdom_server: Workaround for slow krb5 + SELinux

[Lukas Slebodnik]

On (06/04/16 18:44), Jakub Hrozek wrote:
>On Tue, Mar 15, 2016 at 04:47:50PM +0100, Lukas Slebodnik wrote:
>> ehlo,
>> 
>> There were failures[1] on rhel6 machine with latest packages.
>> it took me a while to find out which package cuaed it.
>> Therefore I downgraded rhel machine to vanilla rhel6.7
>> and I was troubleshooting it on different machine.
>> 
>> The failures of test_ipa_subdom_server are caused by fixing
>> memory leak in krb5[2]. BTW there is also plan to fix it in rhel7[3]
>> 
>> sh$ time libtool --mode=execute ./test_ipa_subdom_server
>> 
>> enabled/permissive SELinux
>> real0m7.976s
>> user0m6.680s
>> sys 0m0.189s
>> 
>> disabled SELinux
>> real0m2.111s
>> user0m0.071s
>> sys 0m0.043s
>> 
>> valgrind + enabled/permissive SELinux //but test failed.
>> real2m7.310s
>> user2m17.080s
>> sys 0m0.786s
>> 
>> valgrind + disabled SELinux
>> real0m5.510s
>> user0m3.396s
>> sys 0m0.309s
>> 
>> Attached patch "emulates" disabled SELinux.
>> If we do not want to do that for unit test than we need to increase
>> few timeouts.
>> diff --git a/src/providers/ipa/ipa_subdomains_server.c 
>> b/src/providers/ipa/ipa_subdomains_server.c
>> index f279efc..7d8b3d3 100644
>> --- a/src/providers/ipa/ipa_subdomains_server.c
>> +++ b/src/providers/ipa/ipa_subdomains_server.c
>> @@ -124,7 +124,7 @@ const char *ipa_trust_dir2str(uint32_t direction)
>>  }
>> 
>>  #ifndef IPA_GETKEYTAB_TIMEOUT
>> -#define IPA_GETKEYTAB_TIMEOUT 15
>> +#define IPA_GETKEYTAB_TIMEOUT 5
>>  #endif /* IPA_GETKEYTAB_TIMEOUT */
>> 
>>  static struct ad_options *
>> diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c 
>> b/src/tests/cmocka/test_ipa_subdomains_server.c
>> index d1e0945..3c40f04 100644
>> --- a/src/tests/cmocka/test_ipa_subdomains_server.c
>> +++ b/src/tests/cmocka/test_ipa_subdomains_server.c
>> @@ -508,7 +508,7 @@ static void test_ipa_server_trust_init(void **state)
>>  ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
>>  assert_int_equal(ret, EOK);
>> 
>> -tv = tevent_timeval_current_ofs(15, 0);
>> +tv = tevent_timeval_current_ofs(1, 0);
>>  timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
>> ipa_server_init_done, test_ctx);
>>  assert_non_null(timeout_handler);
>> @@ -849,7 +849,7 @@ static void test_ipa_server_trust_oneway_init(void 
>> **state)
>>  ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx);
>>  assert_int_equal(ret, EOK);
>> 
>> -tv = tevent_timeval_current_ofs(15, 0);
>> +tv = tevent_timeval_current_ofs(1, 0);
>>  timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv,
>> ipa_server_init_done, test_ctx);
>>  assert_non_null(timeout_handler);
>> 
>> 
>> Lower values caused intermittent failures.
>> 
>> Here are execution times after changing timeouts.
>> 
>> valgrind + enabled/permissive SELinux
>> real3m5.812s
>> user2m59.929s
>> sys 0m1.071s
>> 
>> valgrind + disabled SELinux
>> real0m33.541s
>> user0m3.392s
>> sys 0m0.322s
>> 
>> disabled SELinux
>> real0m30.134s
>> user0m0.069s
>> sys 0m0.040s
>> 
>> enabled/permissive SELinux
>> real0m36.014s
>> user0m6.768s
>> sys 0m0.155s
>> 
>> LS
>> 
>> [1] http://sssd-ci.duckdns.org/logs/job/39/10/summary.html
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1311287
>> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1313457
>
>> From 90516358f0a87f7f35dc60e9cb7006f97ff578bd Mon Sep 17 00:00:00 2001
>> From: Lukas Slebodnik 
>> Date: Tue, 15 Mar 2016 16:14:23 +0100
>> Subject: [PATCH] test_ipa_subdom_server: Workaround for slow krb5 + SELinux
>> 
>
>> diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c 
>> b/src/tests/cmocka/test_ipa_subdomains_server.c
>> index 
>> 3c40f04e3712b22ffc497e08a5b8f38921f4b8b1..0fddc951894dee45658497851473b9bddbba0ef7
>>  100644
>> --- a/src/tests/cmocka/test_ipa_subdomains_server.c
>> +++ b/src/tests/cmocka/test_ipa_subdomains_server.c
>> @@ -69,6 +69,26 @@
>>  
>>  static bool global_rename_called;
>>  
>> +#ifdef HAVE_SELINUX
>> +/* Provide faster implementation of kerberos function
>> + * krb5int_labeled_[f]?open. Real functions take care also
>> + * about SELinux context which is very expensive operation
>> + * and cause failures due to timeout when executing with valgrind.
>> + * It's approximately 40 times slower with real function
>> + */
>> +FILE *
>> +krb5int_labeled_fopen(const char *path, const char *mode)
>> +{
>> +return fopen(path, mode);
>> +}
>> +
>> +int
>> +krb5int_labeled_open(const char *path, int flags, mode_t mode)
>> +{
>> +return open(path, flags, mode);
>> +}
>> +#endif /* HAVE_SELINUX */
>> +
>
>This patch seems to work in CI and I don't think we need that specific
>functionality in tests, so ACK.
>
>CI: http://sssd-ci.duckdns.org/logs/job/40/80/summary.html
Thank you very much for review.
Now 

[SSSD] Re: [PATCH] memberof: Fix a memory leak when removing ghost users

[Jakub Hrozek]

On Thu, Apr 07, 2016 at 09:16:21AM +0200, Lukas Slebodnik wrote:
> On (06/04/16 18:38), Jakub Hrozek wrote:
> >Hi,
> >
> >I'm sorry I didn't catch this when I developed the original patch, but
> >today I was trying to write the leak patches as Lukas suggested the
> >other day..I haven't succeeded at that yet, but I found another leak.
> >
> Even if you will not able to write a test your effort has some outcome.
> I glad my idea was not useless.

I'm actually not sure how to write them properly. Normally for the leak
checks, we would use global_talloc_context instead of NULL in the code
from the start, but since the memberof plugin uses NULL internally and
it's a plugin, so there's no _send-style entry point, this wouldn't
work.

I'll try to see if we can use talloc_enable_null_tracking(), though, but
ldb also leaks some memory on the NULL context during normal operation
(IIRC when loading modules), so maybe we'll have to do some trickery
there..
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] AD: Recognize Windows Server 2016

[Jakub Hrozek]

On Thu, Apr 07, 2016 at 09:12:17AM +0200, Lukas Slebodnik wrote:
> On (06/04/16 15:30), Jakub Hrozek wrote:
> >Hi,
> >
> >I was doing a smoke-test with Windows Server 2016 after receiving
> >several requests from users (mainly about IDMU deprecation) and find out
> >that WS 2016 reports a higher Domain Compatibility level.
> >
> >Even though that Windows Server release is not officially out yet and
> >the documentation hasn't been amended yet at:
> >https://msdn.microsoft.com/en-us/library/cc223272.aspx
> >I think we could merge this patch without breaking anything.
> I think too :-)
> 
> ACK
> 
> http://sssd-ci.duckdns.org/logs/job/40/87/summary.html
> Do we want this patch also in stable branch?

I think it wouldn't hurt (or at least patch Fedora, please), because if
anyone experiments with WS2016, they will probably use the released
packages and 1.14 will not be out for some time yet.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] Netlink: Ignore RTM_NEWADDR signals from link-local

[Stephen Gallagher]

> On Apr 7, 2016, at 3:27 AM, Lukas Slebodnik  wrote:
> 
>> On (06/04/16 15:38), Jakub Hrozek wrote:
>>> On Wed, Apr 06, 2016 at 03:16:20PM +0200, Jakub Hrozek wrote:
 On Wed, Apr 06, 2016 at 08:39:39AM -0400, Stephen Gallagher wrote:
 
 
>> On Apr 6, 2016, at 8:37 AM, Jakub Hrozek  wrote:
>> 
>> On Tue, Apr 05, 2016 at 02:34:33PM -0400, Stephen Gallagher wrote:
>> We only need to go online if we receive a netlink signal that might
>> indicate that the external connection might have become available. This
>> will never be true for link-local addresses.
>> 
> 
> The indentation of DEBUG messages is a bit off on two of places. I fixed
> them locally, if you agree, I would like to push:
>   
> https://github.com/jhrozek/sssd/commit/818eada2a68b6c9cff9eb3285ff6126ba4032e31
> 
> (Just the intentation changed, nothing else..)
 
 
 Fine by me.
>>> 
>>> OK, ACK
>>> 
>>> Thank you for the patch and the investigation!
>> 
>> CI: http://sssd-ci.duckdns.org/logs/job/40/75/summary.html
>> 
>> btw I tested by bringing up and down the loopback interface and making
>> sure that addresses like ::1 are filtered out.
>> 
>> * master: a9d1b4b61b614a954c784f224b8fe7a47b6dd206
> Stephen,
> 
> I think you would like to have this patch in fedora 24 :-)
> I can backport this patch just to fedora if you file a BZ
> or we can backport this patch to 1.13 branch
> and it will be in fedora with next release (1.13.4)
> which should be next week.
> 
> What do you prefer?
> 
> LS


Next week is fine. I'm carrying the patch locally on my machine and I haven't 
heard any other complaints. 
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

[SSSD] Re: [PATCH] memberof: Fix a memory leak when removing ghost users

[Pavel Březina]

On 04/07/2016 11:51 AM, Jakub Hrozek wrote:

On Thu, Apr 07, 2016 at 09:16:21AM +0200, Lukas Slebodnik wrote:

On (06/04/16 18:38), Jakub Hrozek wrote:

Hi,

I'm sorry I didn't catch this when I developed the original patch, but
today I was trying to write the leak patches as Lukas suggested the
other day..I haven't succeeded at that yet, but I found another leak.


Even if you will not able to write a test your effort has some outcome.
I glad my idea was not useless.


I'm actually not sure how to write them properly. Normally for the leak
checks, we would use global_talloc_context instead of NULL in the code
from the start, but since the memberof plugin uses NULL internally and
it's a plugin, so there's no _send-style entry point, this wouldn't
work.

I'll try to see if we can use talloc_enable_null_tracking(), though, but
ldb also leaks some memory on the NULL context during normal operation
(IIRC when loading modules), so maybe we'll have to do some trickery
there..


You can use talloc_total_size(NULL) if you enable null tracking.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org