[SSSD] [sssd PR#516][synchronized] DESKPROFILE: Document it doesn't work when run as unprivileged user

2018-02-19 Thread fidencio 
   URL: https://github.com/SSSD/sssd/pull/516
Author: fidencio
 Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged 
user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/516/head:pr516
git checkout pr516
From aa179f6f62231dff4e5a108064cd1e91b7a9008d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Fri, 16 Feb 2018 13:12:32 +0100
Subject: [PATCH] DESKPROFILE: Document it doesn't work when run as
 unprivileged user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Fabiano Fidêncio 
---
 src/man/sssd.conf.5.xml | 5 +
 1 file changed, 5 insertions(+)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 67856d2b3..1701d888a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2461,6 +2461,11 @@ pam_account_locked_message = Account locked, please contact help desk.
 Default: id_provider is used if it
 is set and can perform session related tasks.
 
+
+In order to have this feature working as expected,
+SSSD must be running as "root" and not as the
+unprivileged user.
+
 
 
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#516][-Changes requested] DESKPROFILE: Document it doesn't work when run as unprivileged user

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/516
Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#516][comment] DESKPROFILE: Document it doesn't work when run as unprivileged user

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/516
Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user

fidencio commented:
"""
Changes done according to your suggestion.
Thanks for the review and I'm removing the "Changes Requested" label.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/516#issuecomment-366889568
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#516][comment] DESKPROFILE: Document it doesn't work when run as unprivileged user

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/516
Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user

fidencio commented:
"""
Changes done according to your suggestion.
Thanks for the review and I'm removing the "Changes Requested" label.u
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/516#issuecomment-366889568
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#520][comment] DESKPROFILE: Fix 'Improper use of negative value'

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/520
Title: #520: DESKPROFILE: Fix 'Improper use of negative value'

fidencio commented:
"""
Ouch, I've missed it in just one place.
Thanks for the patch, @sumit-bose!

ACK!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/520#issuecomment-366889213
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#520][+Accepted] DESKPROFILE: Fix 'Improper use of negative value'

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/520
Title: #520: DESKPROFILE: Fix 'Improper use of negative value'

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider

2018-02-19 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/517
Title: #517: Fix two memory leaks in the AD provider

jhrozek commented:
"""
I think the patches look good in general, but the tests don't compile at the 
moment:
```
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c: In function 
‘test_user_conn_list’:
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:775:35: 
warning: passing argument 2 of ‘ad_user_conn_list’ from incompatible pointer 
type [-Wincompatible-pointer-types]
   test_ctx->dom);
   ^~~~ 


In file included from 
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: 

  
/home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: 
expected ‘struct ad_id_ctx *’ but argument is of type ‘struct sss_domain_info 
*’  
   
 ad_user_conn_list(TALLOC_CTX *mem_ctx, 


 ^  


/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:774:17: 
error: too few arguments to function ‘ad_user_conn_list’

  
 conn_list = ad_user_conn_list(test_ctx->ad_ctx,


 ^  


In file included from 
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: 

  
/home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: 
declared here   

 
 ad_user_conn_list(TALLOC_CTX *mem_ctx, 


 ^  


/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:784:35: 
warning: passing argument 2 of ‘ad_user_conn_list’ from incompatible pointer 
type [-Wincompatible-pointer-types] 
 
   test_ctx->subdom);   


   ^~~~ 


In file included from 
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: 

  
/home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: 
expected ‘struct ad_id_ctx *’ but argument is of type ‘struct sss_domain_info 
*’  
   
 ad_user_conn_list(TALLOC_CTX *mem_ctx, 


 ^

[SSSD] [sssd PR#517][+Changes requested] Fix two memory leaks in the AD provider

2018-02-19 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/517
Title: #517: Fix two memory leaks in the AD provider

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider

2018-02-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/517
Title: #517: Fix two memory leaks in the AD provider

sumit-bose commented:
"""
oopsy, fixed version pushed. 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/517#issuecomment-366703772
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#517][-Changes requested] Fix two memory leaks in the AD provider

2018-02-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/517
Title: #517: Fix two memory leaks in the AD provider

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#517][synchronized] Fix two memory leaks in the AD provider

2018-02-19 Thread sumit-bose 
   URL: https://github.com/SSSD/sssd/pull/517
Author: sumit-bose
 Title: #517: Fix two memory leaks in the AD provider
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/517/head:pr517
git checkout pr517
From 3296630559b3dfd697700cb73f32422c327e6379 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Feb 2018 12:07:28 +0100
Subject: [PATCH 1/2] AD: sdap_get_ad_tokengroups_done() allocate temporary
 data on state

Related to https://pagure.io/SSSD/sssd/issue/3639
---
 src/providers/ldap/sdap_async_initgroups_ad.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 9da671a99..30f1d3db2 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -372,7 +372,6 @@ sdap_get_ad_tokengroups_send(TALLOC_CTX *mem_ctx,
 
 static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
 {
-TALLOC_CTX *tmp_ctx = NULL;
 struct sdap_get_ad_tokengroups_state *state = NULL;
 struct tevent_req *req = NULL;
 struct sysdb_attrs **users = NULL;
@@ -386,7 +385,7 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
 req = tevent_req_callback_data(subreq, struct tevent_req);
 state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state);
 
-ret = sdap_get_generic_recv(subreq, tmp_ctx, _users, );
+ret = sdap_get_generic_recv(subreq, state, _users, );
 talloc_zfree(subreq);
 if (ret != EOK) {
 DEBUG(SSSDBG_MINOR_FAILURE,
@@ -449,8 +448,6 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
 ret = EOK;
 
 done:
-talloc_free(tmp_ctx);
-
 if (ret != EOK) {
 tevent_req_error(req, ret);
 return;

From 95f2375a904ae489f51ce6acc4a5318d591b86f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Feb 2018 12:09:01 +0100
Subject: [PATCH 2/2] AD: do not allocate temporary data on long living context

Related to https://pagure.io/SSSD/sssd/issue/3639
---
 src/providers/ad/ad_common.c   | 5 +++--
 src/providers/ad/ad_common.h   | 3 ++-
 src/providers/ad/ad_id.c   | 2 +-
 src/providers/ipa/ipa_deskprofile_rules_util.c | 1 +
 src/sss_client/common.c| 2 +-
 src/tests/cmocka/test_ad_common.c  | 4 ++--
 6 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 84845e285..2a1647173 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1402,13 +1402,14 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
 }
 
 struct sdap_id_conn_ctx **
-ad_user_conn_list(struct ad_id_ctx *ad_ctx,
+ad_user_conn_list(TALLOC_CTX *mem_ctx,
+  struct ad_id_ctx *ad_ctx,
   struct sss_domain_info *dom)
 {
 struct sdap_id_conn_ctx **clist;
 int cindex = 0;
 
-clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
+clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
 if (clist == NULL) {
 return NULL;
 }
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index ce33b37c7..931aafc6c 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -175,7 +175,8 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
   struct sss_domain_info *dom);
 
 struct sdap_id_conn_ctx **
-ad_user_conn_list(struct ad_id_ctx *ad_ctx,
+ad_user_conn_list(TALLOC_CTX *mem_ctx,
+  struct ad_id_ctx *ad_ctx,
   struct sss_domain_info *dom);
 
 struct sdap_id_conn_ctx *
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 0b8f49819..782d9bc40 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -367,7 +367,7 @@ get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
 
 switch (ar->entry_type & BE_REQ_TYPE_MASK) {
 case BE_REQ_USER: /* user */
-clist = ad_user_conn_list(ad_ctx, dom);
+clist = ad_user_conn_list(mem_ctx, ad_ctx, dom);
 break;
 case BE_REQ_BY_SECID:   /* by SID */
 case BE_REQ_USER_AND_GROUP: /* get SID */
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index e52587378..8f4d4c90c 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -1065,6 +1065,7 @@ ipa_deskprofile_rules_remove_user_dir(const char *user_dir,
 if (getegid() != orig_gid) {
 ret = setegid(orig_gid);
 if (ret == -1) {
+ret = errno;
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Unable to set effective user id (%"PRIu32") of the "
   "domain's process [%d]: %s\n",
diff --git a/src/sss_client/common.c

[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider

2018-02-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/517
Title: #517: Fix two memory leaks in the AD provider

sumit-bose commented:
"""
Sorry, there were some unrelated changes in the last commit.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/517#issuecomment-366748803
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#128][synchronized] Fix group renaming issue when "id_provider = ldap" is set

2018-02-19 Thread fidencio 
   URL: https://github.com/SSSD/sssd/pull/128
Author: fidencio
 Title: #128: Fix group renaming issue when "id_provider = ldap" is set
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/128/head:pr128
git checkout pr128
From 36b52887d4b9028a7315790addf7a4432aa56c1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Fri, 16 Feb 2018 13:55:53 +0100
Subject: [PATCH 01/15] NSS: Add InvalidateGroupById handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There are some situations where, from the backend, the NSS responder
will have to be notified to invalidate a group.

In order to achieve this in a clean way, let's add the
InvalidateGroupById handler and make use of it later in this very same
series.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/nss/nss_iface.c   | 16 ++
 src/responder/nss/nss_iface.xml |  3 +++
 src/responder/nss/nss_iface_generated.c | 38 +
 src/responder/nss/nss_iface_generated.h |  5 +
 4 files changed, 62 insertions(+)

diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index 415af9550..805e4fcdf 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
 return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req);
 }
 
+int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req,
+   void *data,
+   gid_t gid)
+{
+struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
+
+DEBUG(SSSDBG_TRACE_LIBS,
+  "Invalidating group %"PRIu32" from memory cache\n", gid);
+
+sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
+
+return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req);
+}
+
 struct iface_nss_memorycache iface_nss_memorycache = {
 { _nss_memorycache_meta, 0 },
 .UpdateInitgroups = nss_memorycache_update_initgroups,
 .InvalidateAllUsers = nss_memorycache_invalidate_users,
 .InvalidateAllGroups = nss_memorycache_invalidate_groups,
 .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
+.InvalidateGroupById = nss_memorycache_invalidate_group_by_id,
 };
 
 static struct sbus_iface_map iface_map[] = {
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
index 27aae0197..4d8cf14f9 100644
--- a/src/responder/nss/nss_iface.xml
+++ b/src/responder/nss/nss_iface.xml
@@ -14,5 +14,8 @@
 
 
 
+
+
+
 
 
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
index 4a8b704da..8d5a4584b 100644
--- a/src/responder/nss/nss_iface_generated.c
+++ b/src/responder/nss/nss_iface_generated.c
@@ -12,6 +12,9 @@
 /* invokes a handler with a 'ssau' DBus signature */
 static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr);
 
+/* invokes a handler with a 'u' DBus signature */
+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr);
+
 /* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */
 const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = {
 { "user", "s" },
@@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re
  DBUS_TYPE_INVALID);
 }
 
+/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */
+const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = {
+{ "gid", "u" },
+{ NULL, }
+};
+
+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req)
+{
+   return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
 /* methods for org.freedesktop.sssd.nss.MemoryCache */
 const struct sbus_method_meta iface_nss_memorycache__methods[] = {
 {
@@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
 offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
 NULL, /* no invoker */
 },
+{
+"InvalidateGroupById", /* name */
+iface_nss_memorycache_InvalidateGroupById__in,
+NULL, /* no out_args */
+offsetof(struct iface_nss_memorycache, InvalidateGroupById),
+invoke_u_method,
+},
 { NULL, }
 };
 
@@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = {
 sbus_invoke_get_all, /* GetAll invoker */
 };
 
+/* invokes a handler with a 'u' DBus signature */
+static int invoke_u_method(struct

[SSSD] [sssd PR#128][-Changes requested] Fix group renaming issue when "id_provider = ldap" is set

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/128
Title: #128: Fix group renaming issue when "id_provider = ldap" is set

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#394][+Rejected] TESTS: Add an integration test for renaming incomplete groups during initgroups

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/394
Title: #394: TESTS: Add an integration test for renaming incomplete groups 
during  initgroups

Label: +Rejected
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#128][comment] Fix group renaming issue when "id_provider = ldap" is set

2018-02-19 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/128
Title: #128: Fix group renaming issue when "id_provider = ldap" is set

fidencio commented:
"""
Patch set has been updated. It already includes the tests provided on #394.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/128#issuecomment-366779085
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org