[SSSD] [sssd PR#498][closed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
@lslebodn,

I'd like to ask you to have a ticket opened about this and we'll treat it from 
there.

Also, @simo5, would you mind giving your opinion here?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365847319
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][+Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured

[centos-ci]

  URL: https://github.com/SSSD/sssd/pull/515
Title: #515: sssctl: Showing help even when sssd not configured

centos-ci commented:
"""
Can one of the admins verify this patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/515#issuecomment-365845133
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured

[centos-ci]

  URL: https://github.com/SSSD/sssd/pull/515
Title: #515: sssctl: Showing help even when sssd not configured

centos-ci commented:
"""
Can one of the admins verify this patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/515#issuecomment-365845134
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#515][opened] sssctl: Showing help even when sssd not configured

[amitkumar50]

   URL: https://github.com/SSSD/sssd/pull/515
Author: amitkumar50
 Title: #515: sssctl: Showing help even when sssd not configured
Action: opened

PR body:
"""
Current Issue:
On a clean and unconfigured system, it's not possible
to use --help.
`# dnf install sssd-tools`
`# sssctl cache-remove --help`
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!

Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.

Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.
Also suggest if we have better alternative..

Resolves: https://pagure.io/SSSD/sssd/issue/3634
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/515/head:pr515
git checkout pr515
From 68b27079c2b4472ed63c22e526e334a49d2fbdb9 Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Thu, 15 Feb 2018 18:21:10 +0530
Subject: [PATCH] sssctl: Showing help even when sssd not configured

On a clean and unconfigured system, it's not possible
to use --help.
1) dnf install sssd-tools
2) sssctl cache-remove --help
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!

Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.

Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.

Resolves: https://pagure.io/SSSD/sssd/issue/3634
---
 src/tools/common/sss_tools.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index e491a1286..bb63dc7c3 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -333,13 +333,15 @@ errno_t sss_tool_route(int argc, const char **argv,
 return tool_ctx->init_err;
 }
 
-ret = tool_cmd_init(tool_ctx, [i]);
-if (ret != EOK) {
-DEBUG(SSSDBG_FATAL_FAILURE,
-  "Command initialization failed [%d] %s\n",
-  ret, sss_strerror(ret));
-return ret;
-}
+	if(strcmp(argv[2],"--help")){
+ret = tool_cmd_init(tool_ctx, [i]);
+if (ret != EOK) {
+DEBUG(SSSDBG_FATAL_FAILURE,
+  "Command initialization failed [%d] %s\n",
+  ret, sss_strerror(ret));
+return ret;
+}
+	}
 
 return commands[i].fn(, tool_ctx, pvt);
 }
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][-Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: -Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

lslebodn commented:
"""
Unfortunately, it was pushed without careful review.

That would not work when running sssd in non-privileged mode because `seteuid` 
will fail.
And it was mentioned in upstream ticket https://pagure.io/SSSD/sssd/issue/3621

Quick POC
```
sh# su --shell=/bin/bash - sssd
sh$ python
Python 2.7.14 (default, Jan 31 2018, 14:27:00) 
[GCC 8.0.1 20180127 (Red Hat 8.0.1-0.6)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.getuid()
974
>>> os.geteuid()
974
>>> os.seteuid(1000)
Traceback (most recent call last):
  File "", line 1, in 
OSError: [Errno 1] Operation not permitted
```

BTW I ran few basic tests in non-privileged mode and works like a charm with 
following IPA tests:
selinux-usemap, sudo, hbac, user, group, netgroup, password changes, ssh keys, 
automount.

I didn't test ad-trust tests because there is a known issue in non-privileged 
mode.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365839135
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][-Accepted] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][reopened] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: reopened

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

jhrozek commented:
"""
* master:
 * f0cbe890adf696d8318373203580d709f3d38d8c 

   
 * 1a011c4f20e80f2bcb4d10a4d690b3a88c2fd70d
 * 07ae0da06c0d94a3198e484d0de28c9282c4d6cd
 * 2c5b03913c54234efdabcff83de368bae72dc799
 * b576b290d3d7e165269edf36d6be27bc1441a688
 * 0fce902c563c3b54f2e67235668273ff7ff40752
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365744752
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][closed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][+Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: New sbus implementation

[Jakub Hrozek]

On Sat, Feb 03, 2018 at 12:58:26PM +0100, Pavel Březina wrote:
> Hi team,
> as you know, I have been working on this occasionally for a long time now.
> The code can be found at [1].
> 
> It is completely new implementation of our internal D-Bus API called sbus. I
> took all the good things started by Steff Walter few years ago and made them
> better and more flexible. In short, it is everything you ever wanted and you
> will not use D-Bus with it at all.
> 
> There is a large README.md in the repo, that contains complete list of
> features, explanation why I started working on this and what I wanted to
> achieve. There is also shorter list of some chosen benefits to the SSSD
> project so you can get the general idea without going through the all
> feature list.
> 
> I really believe that this will be a big step forward for SSSD project as it
> will make the code much simpler and testable and it will allow us to extend
> our D-Bus interface both external and internal. It will give us the
> opportunity to improve the InfoPipe responder (and finally allow us to
> implement write interface) but it also allows us to improve the
> communications between providers, responders and even tools -- especially
> sssctl.
> 
> There is also a showcase application so you can see most of the features at
> work. All is described in the readme file.
> 
> It lacks unit tests at the moment. I would like to get some help from you in
> this area, we should talk about it in the meeting or here. If we choose to
> integrate this with our codebase, we should talk about schedule and test
> plan.
> 
> Also, I would like to strip it from SSSD's dependencies eventually and
> release it as a public library. But that will not happen in near future.
> 
> I hope you will like it.

I didn't have the time to read the implementation at all, honestly, I only
read the README.md. But I like the ideas, especially that we could finally
get support for signals and that the processes could communicate with one
another more easily.

So I'm all for merging this. But I'm sure when will I have the time to
review the code -- currently I'm busy looking at PRs for your other
project :-)

btw with my maintainer hat on -- I think changes like this would really
require us to split master from sssd-2.0.
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#391][synchronized] Use dbus-daemon in cwrap enviroment for test

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/391
Author: lslebodn
 Title: #391: Use dbus-daemon in cwrap enviroment for test
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/391/head:pr391
git checkout pr391
From 041b25fef6e027a8aeecf59fb213f943f9d9458c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 20 Sep 2017 15:57:26 +0200
Subject: [PATCH 1/5] intg: Build with optimisations and debug symbols

We override CFLAGS for macro KCM_PEER_UID. Such change also remove
standard CFLAGS (-O2 -g) and therefore it was not possible to debug
processes in gdb unless environment variable CFLAGS was set.
But we should test optimized code by default and let developers
override default with environment variable CFLAGS and not vice versa.
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index d02f8fe1a..25e996d2d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3607,7 +3607,7 @@ intgcheck-prepare:
 	--without-semanage \
 	--with-session-recording-shell=/bin/false \
 	$(INTGCHECK_CONFIGURE_FLAGS) \
-	CFLAGS="$$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \
+	CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \
 	$(MAKE) $(AM_MAKEFLAGS) ; \
 	: Force single-thread install to workaround concurrency issues; \
 	$(MAKE) $(AM_MAKEFLAGS) -j1 install; \

From 80d1376c54ea6071eb32de4e16d0729010304d3d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Sat, 18 Mar 2017 15:47:43 +0100
Subject: [PATCH 2/5] intg: Do not prefer builddir in PATH

Binary files in builddir are shell wrapper for libtool
Therefore we should prefer files which are installed in $prefix
---
 src/tests/intg/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 209e5a0c7..9c4079d97 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -85,7 +85,7 @@ intgcheck-installed: config.py passwd group
 	unset HOME; \
 	PATH="$$(dirname -- $(SLAPD)):$$PATH" \
 	PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
-	PATH="$(abs_builddir):$(abs_srcdir):$$PATH" \
+	PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
 	PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
 	NON_WRAPPED_UID=$$(id -u) \

From 2ba5ae78a2ee94e0e99f2b0e6cda37fca4b781e5 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 20 Sep 2017 15:40:07 +0200
Subject: [PATCH 3/5] intg: Install configuration for dbus daemon

Resolves:
https://pagure.io/SSSD/sssd/issue/2823
---
 src/external/intgcheck.m4 |  2 +
 src/tests/intg/Makefile.am| 20 +++
 src/tests/intg/data/cwrap-dbus-system.conf.in | 83 +++
 3 files changed, 105 insertions(+)
 create mode 100644 src/tests/intg/data/cwrap-dbus-system.conf.in

diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
index ac68b85dd..60a7bf306 100644
--- a/src/external/intgcheck.m4
+++ b/src/external/intgcheck.m4
@@ -31,3 +31,5 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
 SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb])
 fi
 ])
+
+AM_CONDITIONAL([INTG_BUILD], [test x"$enable_intgcheck_reqs" = xyes])
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 9c4079d97..23737624d 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -37,6 +37,25 @@ dist_noinst_DATA = \
 test_pysss_nss_idmap.py \
 $(NULL)
 
+EXTRA_DIST = data/cwrap-dbus-system.conf.in
+
+dbussysconfdir = $(sysconfdir)/dbus-1
+dbusservicedir = $(datadir)/dbus-1/system-services
+
+if INTG_BUILD
+dist_dbussysconf_DATA = cwrap-dbus-system.conf
+
+install-data-hook:
+	$(MKDIR_P) $(DESTDIR)$(runstatedir)/dbus
+	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/session.d
+
+endif
+
+cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
+	$(SED) -e "s!@runstatedir[@]!$(runstatedir)!" \
+   -e "s!@dbusservicedir[@]!$(dbusservicedir)!" \
+   $< > $@
+
 config.py: config.py.m4
 	m4 -D "prefix=\`$(prefix)'" \
 	   -D "sysconfdir=\`$(sysconfdir)'" \
@@ -70,6 +89,7 @@ CLEANFILES=config.py config.pyc passwd group
 
 clean-local:
 	rm -Rf root
+	rm -f $(builddir)/cwrap-dbus-system.conf
 
 intgcheck-installed: config.py passwd group
 	pipepath="$(DESTDIR)$(pipepath)"; \
diff --git a/src/tests/intg/data/cwrap-dbus-system.conf.in b/src/tests/intg/data/cwrap-dbus-system.conf.in
new file mode 100644
index 0..7369054e7
--- /dev/null
+++ b/src/tests/intg/data/cwrap-dbus-system.conf.in
@@ -0,0 +1,83 @@
+
+
+
+
+http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;>
+
+
+  
+  system
+
+  
+  
+
+
+  
+  
+
+  
+  
+  @dbusservicedir@
+
+
+  
+  @runstatedir@/dbus/messagebus.pid
+
+  
+  EXTERNAL
+
+  
+  unix:path=@runstatedir@/dbus/system_bus_socket
+  
+
+
+
+
+
+
+  
+
+  
+  system.d
+
+  

[SSSD] [sssd PR#498][+Accepted] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
Adding the "Accepted" label as per @simo5's review and @olivergs's tests.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365685945
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[olivergs]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

olivergs commented:
"""
After testing this patch in a clean environment it worked like a charm.

Thanks!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365685736
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#514][opened] Backport several UPN related patches to sssd-1-13

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/514
Author: jhrozek
 Title: #514: Backport several UPN related patches to sssd-1-13
Action: opened

PR body:
"""
There are several patches that were applied to master, but never to sssd-1-13. 
The patches are needed to enable UPN logins in both direct join and trust-based 
setup.

The patches were already tested by one affected RHEL customer, so I'm quite 
certain they work. It would be nice to run CI and Coverity to make sure we 
don't introduce any regressions.

I did some basic sanity testing when backporting the fixes, but if you want to 
test the patches, first create a user with an 'enterprise principal', see e.g. 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11)
 then create an UPN that is different than the realm name. Restart SSSD to make 
sure the subdomains are refreshed. With a trust setup, you also might need to 
run 'ipa trustdomain-fetch' to make sure the suffix shows up.

Then, login using the UPN as the username.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/514/head:pr514
git checkout pr514
From 30949ccf1d41b31c4a91445c5b78a494eb84e501 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Thu, 25 Jan 2018 17:25:50 +0100
Subject: [PATCH 1/3] Make get_object_from_cache() aware of UPN searches

---
 src/providers/ipa/ipa_subdomains_id.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 0956046d7..223dbec15 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -1000,11 +1000,19 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
 case BE_REQ_INITGROUPS:
 case BE_REQ_USER:
 case BE_REQ_USER_AND_GROUP:
-ret = sysdb_search_user_by_name(mem_ctx, dom, name, attrs, );
-if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
+if (ar->extra_value
+&& strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) {
+ret = sysdb_search_user_by_upn(mem_ctx, dom, name,
+   attrs, );
+} else {
+ret = sysdb_search_user_by_name(mem_ctx, dom, name,
+attrs, );
+if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
  == BE_REQ_USER_AND_GROUP) {
-ret = sysdb_search_group_by_name(mem_ctx, dom, name,
- attrs, );
+ret = sysdb_search_group_by_name(mem_ctx, dom,
+ name, attrs,
+ );
+}
 }
 break;
 default:

From 855fa6187314b5f56f69658f1f4faa81820a3011 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 29 Jun 2016 14:02:02 +0200
Subject: [PATCH 2/3] NSS: Fix domain for UPN based lookups

Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.

Reviewed-by: Jakub Hrozek 
(cherry picked from commit f426a8b81a871188348b41aa52803a05bc3a02de)
---
 src/responder/nss/nsssrv_cmd.c | 29 +
 1 file changed, 29 insertions(+)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 61e961efc..3ea43169f 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -975,6 +975,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
 struct ldb_message *msg;
 const char *extra_flag = NULL;
 char *neg_cache_name;
+const char *sysdb_name;
 
 nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
 
@@ -1077,6 +1078,23 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
 }
 
 dctx->res->msgs[0] = talloc_steal(dctx->res->msgs, msg);
+
+/* Since sysdb_search_user_by_upn() searches the whole cache we
+ * have to set the domain so that it matches the result. */
+sysdb_name = ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+ SYSDB_NAME, NULL);
+if (sysdb_name == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
+return EINVAL;
+}
+dctx->domain = find_domain_by_object_name(get_domains_head(dom),
+  sysdb_name);
+if (dctx->domain == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "Cannot find matching domain for [%s].\n",
+  

[SSSD] [sssd PR#503][comment] Regression test for false possitive "corrupted" memory cache

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/503
Title: #503: Regression test for false possitive "corrupted" memory cache

lslebodn commented:
"""
> @lslebodn, I would it call just 'flags' as e.g. open(2).

What about latest version?
It is be backward compatible including negative test cases. But it allows to 
pass `NUL` character to input string.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/503#issuecomment-365672349
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#503][synchronized] Regression test for false possitive "corrupted" memory cache

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/503
Author: lslebodn
 Title: #503: Regression test for false possitive "corrupted" memory cache
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/503/head:pr503
git checkout pr503
From 313af382da04ccb4d021a4325f0797ca2742f081 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 24 Jan 2018 11:24:01 +0100
Subject: [PATCH 1/4] pysss_murmur: Allow to have NUL character in python
 bindings

---
 src/python/pysss_murmur.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/python/pysss_murmur.c b/src/python/pysss_murmur.c
index 060d29df3..8f1752a29 100644
--- a/src/python/pysss_murmur.c
+++ b/src/python/pysss_murmur.c
@@ -38,15 +38,16 @@ static PyObject * py_murmurhash3(PyObject *module, PyObject *args)
 long key_len;
 long long seed;
 uint32_t hash;
+int input_len;
 
-if (!PyArg_ParseTuple(args, sss_py_const_p(char, "slL"),
-  , _len, )) {
+if (!PyArg_ParseTuple(args, sss_py_const_p(char, "z#lL"),
+  , _len, _len, )) {
 PyErr_Format(PyExc_ValueError, "Invalid argument\n");
 return NULL;
 }
 
 if (seed > UINT32_MAX || key_len > INT_MAX || key_len < 0 ||
-(size_t)key_len > strlen(key)) {
+(size_t)key_len > input_len) {
 PyErr_Format(PyExc_ValueError, "Invalid value\n");
 return NULL;
 }

From fac978156129ce13576a3494fb456086e4ce68f3 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 24 Jan 2018 11:34:59 +0100
Subject: [PATCH 2/4] TESTS: Extend code coverage for murmurhash3

* add positive test for trailing NUL character
* add test for corner cases (0, input_len + 1)
---
 src/tests/pysss_murmur-test.py | 62 --
 1 file changed, 47 insertions(+), 15 deletions(-)

diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py
index 7237c95b0..9fb1a0494 100755
--- a/src/tests/pysss_murmur-test.py
+++ b/src/tests/pysss_murmur-test.py
@@ -60,26 +60,53 @@ def testImport(self):
 raise e
 self.assertEqual(pysss_murmur.__file__, MODPATH + "/pysss_murmur.so")
 
-class PySssMurmurTest(unittest.TestCase):
-@classmethod
-def tearDownClass(cls):
-os.unlink(MODPATH + "/pysss_murmur.so")
-os.rmdir(MODPATH)
 
-def testExpectedHash(self):
-hash = pysss_murmur.murmurhash3("S-1-5-21-215332-2176343378-3404031434", 41, 0xdeadbeef)
-self.assertEqual(hash, 93103853)
-
-def testInvalidArguments(self):
+class PySssMurmurTestNeg(unittest.TestCase):
+def test_invalid_arguments(self):
 self.assertRaises(ValueError, pysss_murmur.murmurhash3, 1, 2, 3)
 self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 2)
 self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test")
 self.assertRaises(ValueError, pysss_murmur.murmurhash3)
-self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", -1, 3)
-self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 2,
-  0xff)
+
+def test_invalid_length(self):
+seed = 12345
+
+self.assertRaises(ValueError, pysss_murmur.murmurhash3, "t", -1, seed)
+# length is off by one
+self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 5,
+  seed)
 self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test",
-  0xff, 3)
+  0xff, seed)
+
+
+class PySssMurmurTestPos(unittest.TestCase):
+@classmethod
+def tear_down_dlass(cls):
+os.unlink(MODPATH + "/pysss_murmur.so")
+os.rmdir(MODPATH)
+
+def testExpectedHash(self):
+sid_str = "S-1-5-21-215332-2176343378-3404031434"
+seed = 0xdeadbeef
+
+hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
+self.assertEqual(hash_val, 233162409)
+
+hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)
+self.assertEqual(hash_val, 93103853)
+
+def test_memory_cache_usage(self):
+seed = 0xbeefdead
+input_str = "test_user1"
+input_len = len(input_str)
+
+val_bin = pysss_murmur.murmurhash3(input_str + '\0',
+   input_len + 1, seed)
+self.assertEqual(val_bin, 1198610880)
+
+val_bin = pysss_murmur.murmurhash3(input_str + '\0' * 5,
+   input_len + 5, seed)
+self.assertEqual(val_bin, 2917868047)
 
 
 if __name__ == "__main__":
@@ -97,9 +124,14 @@ def testInvalidArguments(self):
 sys.path.insert(0, MODPATH)
 import pysss_murmur
 
-suite = unittest.TestLoader().loadTestsFromTestCase(PySssMurmurTest)
+suite = 

[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/496
Title: #496: sysdb: sanitize search filter input - backport sssd-1-13

lslebodn commented:
"""
I added in-line comment.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/496#issuecomment-365637557
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#496][+Changes requested] sysdb: sanitize search filter input - backport sssd-1-13

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/496
Title: #496: sysdb: sanitize search filter input - backport sssd-1-13

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org