[SSSD] [sssd PR#141][synchronized] PAM: Use cache_req to perform initgroups lookups

2017-02-24 Thread fidencio 
   URL: https://github.com/SSSD/sssd/pull/141
Author: fidencio
 Title: #141: PAM: Use cache_req to perform initgroups lookups
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/141/head:pr141
git checkout pr141
From 143d84ac936f38648f0cd603c54891f9d8554cd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Thu, 2 Feb 2017 13:06:30 +0100
Subject: [PATCH 1/4] CACHE_REQ: Add cache_req_data_set_bypass_cache()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This new cache_req_data method has been added because of the upcoming
changes in the PAM responder.

For deciding whether to contact the cache, or just query the data
provider directly, PAM responder calls pam_initgr_check_timeout() which
will return whether the cache entry may still be valid. The cache will
be contacted only in case the cache entry is still valid, otherwise the
data provider will be called.

pam_initgr_check_timeout() basically checks whether the user (being
looked up) is still a part of an in-memory hash table. Because the entry
is a part of the hash table for really short period of time, and is
automatically removed, the communication with the data provider is forced
to happen quite often.

As the follow-up changes should not modify this behaviour, this function
was introduced so we can still call pam_initgr_check_timeout() and pass
its result to the cache_req call that will perform the lookup.

Related:
https://fedorahosted.org/sssd/ticket/1126

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/cache_req.h | 3 +++
 src/responder/common/cache_req/cache_req_data.c| 7 +++
 src/responder/common/cache_req/cache_req_private.h | 2 ++
 src/responder/common/cache_req/cache_req_search.c  | 2 +-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 185558d..d0e5ff4 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -111,6 +111,9 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
 const char *name,
 const char *alias,
 const char **attrs);
+void
+cache_req_data_set_bypass_cache(struct cache_req_data *data,
+bool bypass_cache);
 
 /* Output data. */
 
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index b2e22ec..729e187 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -357,3 +357,10 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
 
 return cache_req_data_create(mem_ctx, type, );
 }
+
+void
+cache_req_data_set_bypass_cache(struct cache_req_data *data,
+bool bypass_cache)
+{
+data->bypass_cache = bypass_cache;
+}
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index cc47375..3839f5a 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -84,6 +84,8 @@ struct cache_req_data {
 struct cache_req_cased_name protocol;
 uint16_t port;
 } svc;
+
+bool bypass_cache;
 };
 
 struct tevent_req *
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index eed82cf..ebbc2c7 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -214,7 +214,7 @@ cache_req_search_send(TALLOC_CTX *mem_ctx,
  */
 state->result = NULL;
 status = CACHE_OBJECT_MISSING;
-if (!cr->plugin->bypass_cache) {
+if (!cr->plugin->bypass_cache && !cr->data->bypass_cache) {
 ret = cache_req_search_cache(state, cr, >result);
 if (ret != EOK && ret != ENOENT) {
 goto done;

From cae34b4cf3232db75009698488de0a3d7849c261 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Thu, 2 Feb 2017 13:19:18 +0100
Subject: [PATCH 2/4] PAM: Use cache_req to perform initgroups lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PAM responder has been already taking advantage of the cache_req
interface, so this patch is just replacing some code that performs
initgroups lookups by using cache_req to do so.

Resolves:
https://fedorahosted.org/sssd/ticket/1126

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/data_provider.h  |   1 -
 src/responder/pam/pamsrv.h |   1 -
 src/responder/pam/pamsrv_cmd.c | 468 +++--
 3 files changed, 76 insertions(+), 394 deletions(-)

diff --git a/src/providers/data_provider.h

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

jhrozek commented:
"""
ok, new patch pushed here
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282330721
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][synchronized] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/168
Author: jhrozek
 Title: #168: DOC: Deprecate README, add README.md
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/168/head:pr168
git checkout pr168
From 1be5ac07bb6c3338ffe48d8df633ed21c292d408 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 24 Feb 2017 09:22:20 +0100
Subject: [PATCH] DOC: Deprecate README, add README.md

To make it easier to display the contents of README on the project
homepage, this patch converts the README contents to README.md.

The original README is removed so that we don't maintain two different
sources.

The links to fedorahosted are retained until we migrate the wiki pages.
---
 README| 43 ---
 README.md | 28 
 2 files changed, 28 insertions(+), 43 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index 189f66f..000
--- a/README
+++ /dev/null
@@ -1,43 +0,0 @@
-
- SSSD - System Security Services Daemon
- --
-
-  Introduction
-  
-  SSSD provides a set of daemons to manage access to remote directories and
-  authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
-  an NSS and PAM interface toward the system and a pluggable backend system
-  to connect to multiple different account sources.
-
-  More information about SSSD can be found on its project page -
-  
-
-  Building and installation
-  -
-  Please see the file BUILD.txt for details
-
-  Documentation
-  -
-  The most up-to-date documentation can be found at
-  
-
-  Licensing
-  -
-  Please see the file called COPYING.
-
-  Contacts
-  
-  There are several ways to contact us:
-
- * the sssd-devel mailing list:
-   Development of the System Security Services Daemon
-   
-
- * the sssd-users mailing list:
-   End-user discussions about the System Security Services Daemon
-   
-
- * the #sssd and #freeipa IRC channels on freenode:
-   irc://irc.freenode.net/sssd
-   irc://irc.freenode.net/freeipa
-
diff --git a/README.md b/README.md
new file mode 100644
index 000..40c88c0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+# SSSD - System Security Services Daemon
+
+## Introduction
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page -
+https://pagure.io/SSSD/sssd/
+
+## Building and installation
+Please see the file BUILD.txt for details
+
+## Documentation
+The most up-to-date documentation can be found at https://fedorahosted.org/sssd/wiki/Documentation
+
+## Licensing
+Please see the file called COPYING.
+
+## Contacts
+There are several ways to contact us:
+
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the #sssd and #freeipa IRC channels on freenode:
+  * irc://irc.freenode.net/sssd
+  * irc://irc.freenode.net/freeipa
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

lslebodn commented:
"""
On (24/02/17 07:42), Jakub Hrozek wrote:
>On Fri, Feb 24, 2017 at 06:17:16AM -0800, lslebodn wrote:
>> On (24/02/17 02:43), Jakub Hrozek wrote:
>> >I'm not sure why the centos CI reports failure. I ran our internal CI and 
>> >it passed:
>> >http://sssd-ci.duckdns.org/logs/job/63/44/summary.html
>> >
>> 
>> The link is different
>> https://pagure.io/SSSD/sssd/
>
>fixed
>
Looks good to me on pagure
https://pagure.io/fork/lslebodn/SSSD/sssd/branch/pr168

and also on github
https://github.com/jhrozek/sssd/tree/readme

But there is a trailing space on line
  "There are several ..."

shell based unit test will fail.

Please fix it before pushing but; please wait for guys from fedora
infrastructure; they might change things.

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282327314
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

jhrozek commented:
"""
On Fri, Feb 24, 2017 at 06:17:16AM -0800, lslebodn wrote:
> On (24/02/17 02:43), Jakub Hrozek wrote:
> >I'm not sure why the centos CI reports failure. I ran our internal CI and it 
> >passed:
> >http://sssd-ci.duckdns.org/logs/job/63/44/summary.html
> >
> 
> The link is different
> https://pagure.io/SSSD/sssd/

fixed

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282322994
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][synchronized] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/168
Author: jhrozek
 Title: #168: DOC: Deprecate README, add README.md
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/168/head:pr168
git checkout pr168
From 15fea19e4666c8b8a1ba4b38b5601b7cc27f5cde Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 24 Feb 2017 09:22:20 +0100
Subject: [PATCH] DOC: Deprecate README, add README.md

To make it easier to display the contents of README on the project
homepage, this patch converts the README contents to README.md.

The original README is removed so that we don't maintain two different
sources.

The links to fedorahosted are retained until we migrate the wiki pages.
---
 README| 43 ---
 README.md | 28 
 2 files changed, 28 insertions(+), 43 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index 189f66f..000
--- a/README
+++ /dev/null
@@ -1,43 +0,0 @@
-
- SSSD - System Security Services Daemon
- --
-
-  Introduction
-  
-  SSSD provides a set of daemons to manage access to remote directories and
-  authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
-  an NSS and PAM interface toward the system and a pluggable backend system
-  to connect to multiple different account sources.
-
-  More information about SSSD can be found on its project page -
-  
-
-  Building and installation
-  -
-  Please see the file BUILD.txt for details
-
-  Documentation
-  -
-  The most up-to-date documentation can be found at
-  
-
-  Licensing
-  -
-  Please see the file called COPYING.
-
-  Contacts
-  
-  There are several ways to contact us:
-
- * the sssd-devel mailing list:
-   Development of the System Security Services Daemon
-   
-
- * the sssd-users mailing list:
-   End-user discussions about the System Security Services Daemon
-   
-
- * the #sssd and #freeipa IRC channels on freenode:
-   irc://irc.freenode.net/sssd
-   irc://irc.freenode.net/freeipa
-
diff --git a/README.md b/README.md
new file mode 100644
index 000..3429b89
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+# SSSD - System Security Services Daemon
+
+## Introduction
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page -
+https://pagure.io/SSSD/sssd/
+
+## Building and installation
+Please see the file BUILD.txt for details
+
+## Documentation
+The most up-to-date documentation can be found at https://fedorahosted.org/sssd/wiki/Documentation
+
+## Licensing
+Please see the file called COPYING.
+
+## Contacts
+There are several ways to contact us: 
+
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the #sssd and #freeipa IRC channels on freenode:
+  * irc://irc.freenode.net/sssd
+  * irc://irc.freenode.net/freeipa
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][comment] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/152
Title: #152: Add a tevent wrapper around libcurl's asynchronous interface

jhrozek commented:
"""
On Thu, Feb 23, 2017 at 03:10:12AM -0800, lslebodn wrote:
> lslebodn commented on this pull request.
> 
> 
> 
> > @@ -3241,6 +3281,7 @@ intgcheck-prepare:
>   --without-semanage \
>   $(INTGCHECK_CONFIGURE_FLAGS); \
>   $(MAKE) $(AM_MAKEFLAGS); \
> + $(MAKE) $(AM_MAKEFLAGS) tcurl-test-tool || echo "libcurl tests will be 
> disabled"; \
> 
> Ahh, you want to use it in integration tests. Then it should not part of test 
> `check_PROGRAMS`
> IMHO; there are simpler option add it to `noinst_PROGRAMS` or install it only 
> with integration tests. But we do not have such AM_CONDITION yet

OK, done, added to noinst programs. But I was wondering if the OR
condition is too much of a hack. Because if libcurl is not installed, we
can't build the tcurl-test-tool binary, we have to either make this call
conditional (but wrapping it with BUILD_WITH_LIBCURL didn't work for me)
or non-fatal (and there I tried prefixing the rule with '-', but that
didn't work either).

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/152#issuecomment-282322164
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#152][synchronized] Add a tevent wrapper around libcurl's asynchronous interface

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/152
Author: jhrozek
 Title: #152: Add a tevent wrapper around libcurl's asynchronous interface
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/152/head:pr152
git checkout pr152
From 5c51222ba533972d56f4ecb43e05b5c2e1db372e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 23 Sep 2016 13:41:53 +0200
Subject: [PATCH 1/5] UTIL: Add a new macro SAFEALIGN_MEMCPY_CHECK

We will use it later in the KCM server
---
 src/util/util_safealign.h | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/util/util_safealign.h b/src/util/util_safealign.h
index a2cd4dd..0d9a579 100644
--- a/src/util/util_safealign.h
+++ b/src/util/util_safealign.h
@@ -124,6 +124,12 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
 safealign_memcpy(dest, CV_MACRO_val, sizeof(char) * length, pctr); \
 } while(0)
 
+#define SAFEALIGN_MEMCPY_CHECK(dest, src, srclen, len, pctr) do { \
+if ((*(pctr) + srclen) > (len) || \
+SIZE_T_OVERFLOW(*(pctr), srclen)) { return EINVAL; } \
+safealign_memcpy(dest, src, srclen, pctr); \
+} while(0)
+
 /* Aliases for backward compatibility. */
 #define SAFEALIGN_SET_VALUE SAFEALIGN_SETMEM_VALUE
 #define SAFEALIGN_SET_INT64 SAFEALIGN_SETMEM_INT64

From 30b5f3c8252a819bdd3ee2094562a019e2252bd8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 20 Sep 2016 18:46:40 +0200
Subject: [PATCH 2/5] UTIL: Add a generic iobuf module

The KCM responder reads bytes and writes bytes from a buffer of bytes.
Instead of letting the caller deal with low-level handling using the
SAFEALIGN macros, this patch adds a new iobuf.c module with more
high-level functions.

The core is a iobuf struct that keeps track of the buffer, its total
capacity and a current read or write position.

There are helper function to read or write a generic buffer with a set
length. Later, we will also add convenience functions to read C data
types using the SAFEALIGN macros.
---
 Makefile.am   |  22 +
 src/tests/cmocka/test_iobuf.c | 194 +++
 src/util/sss_iobuf.c  | 204 ++
 src/util/sss_iobuf.h  | 117 
 4 files changed, 537 insertions(+)
 create mode 100644 src/tests/cmocka/test_iobuf.c
 create mode 100644 src/util/sss_iobuf.c
 create mode 100644 src/util/sss_iobuf.h

diff --git a/Makefile.am b/Makefile.am
index e676e18..b612897 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -274,6 +274,7 @@ if HAVE_CMOCKA
 test_ipa_dn \
 simple-access-tests \
 krb5_common_test \
+test_iobuf \
 $(NULL)
 
 if HAVE_LIBRESOLV
@@ -654,6 +655,7 @@ dist_noinst_HEADERS = \
 src/util/util_sss_idmap.h \
 src/util/util_creds.h \
 src/util/inotify.h \
+src/util/sss_iobuf.h \
 src/monitor/monitor.h \
 src/monitor/monitor_interfaces.h \
 src/monitor/monitor_iface_generated.h \
@@ -1820,6 +1822,7 @@ krb5_utils_tests_SOURCES = \
 src/providers/krb5/krb5_common.c \
 src/providers/krb5/krb5_opts.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -2095,6 +2098,7 @@ krb5_child_test_SOURCES = \
 src/providers/krb5/krb5_common.c \
 src/providers/krb5/krb5_opts.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -2765,6 +2769,7 @@ test_copy_ccache_SOURCES = \
 src/tests/cmocka/test_copy_ccache.c \
 src/providers/krb5/krb5_ccache.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 $(NULL)
 test_copy_ccache_CFLAGS = \
 $(AM_CFLAGS) \
@@ -2783,6 +2788,7 @@ test_copy_keytab_SOURCES = \
 src/tests/cmocka/test_copy_keytab.c \
 src/providers/krb5/krb5_keytab.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 $(NULL)
 test_copy_keytab_CFLAGS = \
 $(AM_CFLAGS) \
@@ -3145,6 +3151,19 @@ test_ipa_dn_LDADD = \
 libsss_test_common.la \
 $(NULL)
 
+test_iobuf_SOURCES = \
+src/util/sss_iobuf.c \
+src/tests/cmocka/test_iobuf.c \
+$(NULL)
+test_iobuf_CFLAGS = \
+$(AM_CFLAGS) \
+$(NULL)
+test_iobuf_LDADD = \
+$(CMOCKA_LIBS) \
+$(SSSD_LIBS) \
+$(NULL)
+
+
 EXTRA_simple_access_tests_DEPENDENCIES = \
 $(ldblib_LTLIBRARIES)
 simple_access_tests_SOURCES = \
@@ -3476,6 +3495,7 @@ libsss_krb5_common_la_SOURCES = \
 src/providers/krb5/krb5_init_shared.c \
 src/providers/krb5/krb5_ccache.c \
 src/util/sss_krb5.c \
+src/util/sss_iobuf.c \
 src/util/become_user.c \
 $(NULL)
 libsss_krb5_common_la_CFLAGS = \
@@ -3705,6 +3725,7 @@ krb5_child_SOURCES = \
 src/providers/dp_pam_data_util.c \

[SSSD] [sssd PR#163][comment] Enable the files domain for all sssd configurations

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/163
Title: #163: Enable the files domain for all sssd configurations

jhrozek commented:
"""
btw one thing I would like to do more that this auto-magic is for SSSD to have 
the functionality to enable all domains that are defined even in snippets 
without having to define them on the domains=line. Then the downstream package 
could just drop a files domain definition..but we don't have this 
functionality, so..
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/163#issuecomment-282314586
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#163][comment] Enable the files domain for all sssd configurations

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/163
Title: #163: Enable the files domain for all sssd configurations

jhrozek commented:
"""
OK, I added a new option and a test for it. So far (for easier review) I kept 
the option and the test as separate patches prefixed with SQ. If the patches 
are acked, I will squash them into the ones just before (and resubmit before 
pushing for sanity check)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/163#issuecomment-282314208
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#163][synchronized] Enable the files domain for all sssd configurations

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/163
Author: jhrozek
 Title: #163: Enable the files domain for all sssd configurations
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/163/head:pr163
git checkout pr163
From 47a28714c047385b9800473627f570662215670d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Tue, 21 Feb 2017 16:34:45 +0100
Subject: [PATCH 1/7] MONITOR: Enable an implicit files domain if one is not
 configured

Resolves:
https://fedorahosted.org/sssd/ticket/3112

If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
  implicit SSSD files domain is added
* this domain is always first in the list

The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
---
 src/conf_macros.m4|  12 
 src/confdb/confdb.c   | 165 ++
 src/confdb/confdb.h   |   3 +
 src/monitor/monitor.c |  11 
 4 files changed, 191 insertions(+)

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 427b0e0..bd65217 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -903,3 +903,15 @@ AC_DEFUN([WITH_SECRETS_DB_PATH],
 AC_SUBST(secdbpath)
 AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases])
   ])
+
+AC_ARG_ENABLE([files-domain],
+  [AS_HELP_STRING([--enable-files-domain],
+  [If this feature is enabled, then SSSD always enables
+   a domain with id_provider=files even if the domain
+   is not specified in the config file
+  [default=no]])],
+  [enable_files_domain=$enableval],
+  [enable_files_domain=no])
+AS_IF([test x$enable_files_domain = xyes],
+  AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1],
+  [whether to build unconditionally enable files domain]))
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c7afd68..980cabc 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1643,3 +1643,168 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
 talloc_free(tmp_ctx);
 return ret;
 }
+
+#ifdef ADD_FILES_DOMAIN
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+struct ldb_dn *dn = NULL;
+struct ldb_result *res = NULL;
+static const char *attrs[] = {CONFDB_DOMAIN_ID_PROVIDER, NULL};
+const char *id_provider = NULL;
+int ret;
+unsigned int i;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+if (dn == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = ldb_search(cdb->ldb, tmp_ctx, , dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+if (ret != LDB_SUCCESS) {
+ret = EIO;
+goto done;
+}
+
+for (i = 0; i < res->count; i++) {
+id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+  CONFDB_DOMAIN_ID_PROVIDER,
+  NULL);
+if (id_provider == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "The object [%s] doesn't have a id_provider\n",
+   ldb_dn_get_linearized(res->msgs[i]->dn));
+ret = EINVAL;
+goto done;
+}
+
+if (strcasecmp(id_provider, "files") == 0) {
+break;
+}
+}
+
+ret = i < res->count ? EOK : ENOENT;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int create_files_domain(struct confdb_ctx *cdb,
+   const char *name)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+errno_t ret;
+char *cdb_path = NULL;
+const char *val[2] = {NULL, NULL};
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+return ENOMEM;
+}
+
+cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
+if (cdb_path == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+val[0] = "files";
+ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
+  ret, sss_strerror(ret));
+goto done;
+}
+
+ret = EOK;
+done:
+talloc_free(tmp_ctx);
+return ret;
+}
+
+static int activate_files_domain(struct confdb_ctx *cdb,
+ const char *name)
+{
+errno_t ret;
+TALLOC_CTX *tmp_ctx;
+char *monitor_domlist;
+const char *domlist[2] = { NULL, NULL };
+
+tmp_ctx = talloc_new(NULL);
+

[SSSD] [sssd PR#167][comment] Add missing dyndns_auth option to AD and IPA provider man pages

2017-02-24 Thread justin-stephenson 
  URL: https://github.com/SSSD/sssd/pull/167
Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages

justin-stephenson commented:
"""
If that is the case, then I am fine if you would like to go ahead and close 
this PR. I just saw a customer using this option recently.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/167#issuecomment-282306054
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#167][comment] Add missing dyndns_auth option to AD and IPA provider man pages

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/167
Title: #167: Add missing dyndns_auth option to AD and IPA provider man pages

lslebodn commented:
"""
I thought it was not documented intentionally.
The same as other insecure options for tls.

@jhrozek should know because he is an author :-)

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/167#issuecomment-282302805
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

lslebodn commented:
"""
On (24/02/17 02:43), Jakub Hrozek wrote:
>I'm not sure why the centos CI reports failure. I ran our internal CI and it 
>passed:
>http://sssd-ci.duckdns.org/logs/job/63/44/summary.html
>

The link is different
https://pagure.io/SSSD/sssd/

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282301450
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][+Changes requested] DOC: Deprecate README, add README.md

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

lslebodn commented:
"""
On (24/02/17 02:43), Jakub Hrozek wrote:
>I'm not sure why the centos CI reports failure. I ran our internal CI and it 
>passed:
>http://sssd-ci.duckdns.org/logs/job/63/44/summary.html
>

The link is different
https://pagure.io/SSSD/sssd/

LS

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282301450
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][-Accepted] DOC: Deprecate README, add README.md

2017-02-24 Thread lslebodn 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#153][+Accepted] sss_cache: User/groups invalidation in domain cache

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/153
Title: #153: sss_cache: User/groups invalidation in domain cache

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#153][comment] sss_cache: User/groups invalidation in domain cache

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/153
Title: #153: sss_cache: User/groups invalidation in domain cache

fidencio commented:
"""
Patch looks good and there's just two really minor coding style issues, IMO.

Whoever pushes this patch, please, squash 
https://fidencio.fedorapeople.org/pr153/pr153-squash.patch into this PR.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/153#issuecomment-282299100
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#128][+Changes requested] Fix group renaming issue when "id_provider = ldap" is set

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/128
Title: #128: Fix group renaming issue when "id_provider = ldap" is set

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#128][comment] Fix group renaming issue when "id_provider = ldap" is set

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/128
Title: #128: Fix group renaming issue when "id_provider = ldap" is set

fidencio commented:
"""
So, as far as I remember, the conclusion about this patch is that we should 
also have a really loud debug message saying that the group has been renamed.

Is everyone here in agreement about this? @lslebodn, @jhrozek, @sumit-bose
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/128#issuecomment-282295811
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#163][comment] Enable the files domain for all sssd configurations

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/163
Title: #163: Enable the files domain for all sssd configurations

jhrozek commented:
"""
On Fri, Feb 24, 2017 at 04:41:48AM -0800, Pavel Březina wrote:
> Typo in last commit message:
> ```
> This functionality is only enabled in case SSSD is configured with with <
> ```
> 
> Otherwise ack. I just wonder if this is really something that must be enabled 
> on build level. My concern is that if someone will not want to use it for 
> some reason, there is no way to disable the implicit files domain. We should 
> provide a configuration option to disable it.

Are you referring to the domain that gets prepended before other domains
or the fallback config?

> 
> Or we should provide a configuration option `enable_implicit_files` that will 
> default to `yes` if `--enable-files-domain` is given and to `no` otherwise.

I can implement this, sure.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/163#issuecomment-282294063
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#163][comment] Enable the files domain for all sssd configurations

2017-02-24 Thread pbrezina 
  URL: https://github.com/SSSD/sssd/pull/163
Title: #163: Enable the files domain for all sssd configurations

pbrezina commented:
"""
Typo in last commit message:
```
This functionality is only enabled in case SSSD is configured with with <
```

Otherwise ack. I just wonder if this is really something that must be enabled 
on build level. My concern is that if someone will not want to use it for some 
reason, there is no way to disable the implicit files domain. We should provide 
a configuration option to disable it.

Or we should provide a configuration option `enable_implicit_files` that will 
default to `yes` if `--enable-files-domain` is given and to `no` otherwise.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/163#issuecomment-282282200
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#141][comment] PAM: Use cache_req to perform initgroups lookups

2017-02-24 Thread spbnick 
  URL: https://github.com/SSSD/sssd/pull/141
Title: #141: PAM: Use cache_req to perform initgroups lookups

spbnick commented:
"""
All my comments were addressed, ACK on my points. Thanks, @fidencio!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/141#issuecomment-282267591
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

jhrozek commented:
"""
I'm not sure why the centos CI reports failure. I ran our internal CI and it 
passed:
http://sssd-ci.duckdns.org/logs/job/63/44/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282261473
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][+Accepted] DOC: Deprecate README, add README.md

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][comment] DOC: Deprecate README, add README.md

2017-02-24 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/168
Title: #168: DOC: Deprecate README, add README.md

fidencio commented:
"""
ack!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/168#issuecomment-282236962
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][synchronized] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/168
Author: jhrozek
 Title: #168: DOC: Deprecate README, add README.md
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/168/head:pr168
git checkout pr168
From 98605a43ed243e52e87ee1665d758a362308011c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 24 Feb 2017 09:22:20 +0100
Subject: [PATCH] DOC: Deprecate README, add README.md

To make it easier to display the contents of README on the project
homepage, this patch converts the README contents to README.md.

The original README is removed so that we don't maintain two different
sources.

The links to fedorahosted are retained until we migrate the wiki pages.
---
 README| 43 ---
 README.md | 28 
 2 files changed, 28 insertions(+), 43 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index 189f66f..000
--- a/README
+++ /dev/null
@@ -1,43 +0,0 @@
-
- SSSD - System Security Services Daemon
- --
-
-  Introduction
-  
-  SSSD provides a set of daemons to manage access to remote directories and
-  authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
-  an NSS and PAM interface toward the system and a pluggable backend system
-  to connect to multiple different account sources.
-
-  More information about SSSD can be found on its project page -
-  
-
-  Building and installation
-  -
-  Please see the file BUILD.txt for details
-
-  Documentation
-  -
-  The most up-to-date documentation can be found at
-  
-
-  Licensing
-  -
-  Please see the file called COPYING.
-
-  Contacts
-  
-  There are several ways to contact us:
-
- * the sssd-devel mailing list:
-   Development of the System Security Services Daemon
-   
-
- * the sssd-users mailing list:
-   End-user discussions about the System Security Services Daemon
-   
-
- * the #sssd and #freeipa IRC channels on freenode:
-   irc://irc.freenode.net/sssd
-   irc://irc.freenode.net/freeipa
-
diff --git a/README.md b/README.md
new file mode 100644
index 000..fe8de97
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+# SSSD - System Security Services Daemon
+
+## Introduction
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page -
+https://pagure.io/sssd
+
+## Building and installation
+Please see the file BUILD.txt for details
+
+## Documentation
+The most up-to-date documentation can be found at https://fedorahosted.org/sssd/wiki/Documentation
+
+## Licensing
+Please see the file called COPYING.
+
+## Contacts
+There are several ways to contact us: 
+
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the #sssd and #freeipa IRC channels on freenode:
+  * irc://irc.freenode.net/sssd
+  * irc://irc.freenode.net/freeipa
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#168][opened] DOC: Deprecate README, add README.md

2017-02-24 Thread jhrozek 
   URL: https://github.com/SSSD/sssd/pull/168
Author: jhrozek
 Title: #168: DOC: Deprecate README, add README.md
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/168/head:pr168
git checkout pr168
From a0b8658deb111f7ba8ec6f99f6fc2ab924f944b2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Fri, 24 Feb 2017 09:22:20 +0100
Subject: [PATCH] DOC: Deprecate README, add README.md

---
 README| 43 ---
 README.md | 28 
 2 files changed, 28 insertions(+), 43 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index 189f66f..000
--- a/README
+++ /dev/null
@@ -1,43 +0,0 @@
-
- SSSD - System Security Services Daemon
- --
-
-  Introduction
-  
-  SSSD provides a set of daemons to manage access to remote directories and
-  authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
-  an NSS and PAM interface toward the system and a pluggable backend system
-  to connect to multiple different account sources.
-
-  More information about SSSD can be found on its project page -
-  
-
-  Building and installation
-  -
-  Please see the file BUILD.txt for details
-
-  Documentation
-  -
-  The most up-to-date documentation can be found at
-  
-
-  Licensing
-  -
-  Please see the file called COPYING.
-
-  Contacts
-  
-  There are several ways to contact us:
-
- * the sssd-devel mailing list:
-   Development of the System Security Services Daemon
-   
-
- * the sssd-users mailing list:
-   End-user discussions about the System Security Services Daemon
-   
-
- * the #sssd and #freeipa IRC channels on freenode:
-   irc://irc.freenode.net/sssd
-   irc://irc.freenode.net/freeipa
-
diff --git a/README.md b/README.md
new file mode 100644
index 000..6a12b51
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+# SSSD - System Security Services Daemon
+
+## Introduction
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page -
+https://pagure.io/sssd
+
+## Building and installation
+Please see the file BUILD.txt for details
+
+## Documentation
+The most up-to-date documentation can be found at https://docs.pagure.org/sssd/Documentation.html
+
+## Licensing
+Please see the file called COPYING.
+
+## Contacts
+There are several ways to contact us: 
+
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the #sssd and #freeipa IRC channels on freenode:
+  * irc://irc.freenode.net/sssd
+  * irc://irc.freenode.net/freeipa
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org