[SSSD] [sssd PR#449][+Changes requested] cache: Check for max_id/min_id in cache_req

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/449
Title: #449: cache: Check for max_id/min_id in cache_req

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#449][-Changes requested] cache: Check for max_id/min_id in cache_req

2017-11-29 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/449
Title: #449: cache: Check for max_id/min_id in cache_req

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#449][comment] cache: Check for max_id/min_id in cache_req

2017-11-29 Thread jhrozek 
  URL: https://github.com/SSSD/sssd/pull/449
Title: #449: cache: Check for max_id/min_id in cache_req

jhrozek commented:
"""
Removing changes requested since a new patch had arrived
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/449#issuecomment-347890037
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#461][+Accepted] responder: Fix talloc hierarchy in sized_output_name

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/461
Title: #461: responder: Fix talloc hierarchy in sized_output_name

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/461
Title: #461: responder: Fix talloc hierarchy in sized_output_name

fidencio commented:
"""
I'm adding the "Accepted" label. Thanks for the patch and for the explanation 
of the issue (face-to-face, last week). I totally missed that when looking at 
the issue.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/461#issuecomment-347874199
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/461
Title: #461: responder: Fix talloc hierarchy in sized_output_name

fidencio commented:
"""
I can see one failure in our internal CI:
```
ERROR: Command failed: 
 # /usr/bin/systemd-nspawn -q -M 5b05f2b1276141ae922d65eae7807749 -D 
/var/lib/mock/fedora-27-x86_64/root -a --private-network --setenv=TERM=vt100 
--setenv=SHELL=/bin/bash --setenv=HOME=/builddir --setenv=HOSTNAME=mock 
--setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf 
"\033]0;\007" --setenv=PS1= \s-\v\$  
--setenv=LANG=en_US.UTF-8 -u mockbuild bash --login -c /usr/bin/rpmbuild -bb 
--target x86_64 --nodeps /builddir/build/SPECS/sssd.spec
```

This failure happened on f27 system but is not related to this patch at all. 
For all other systems, CI passed: 
http://vm-031.${abc}/logs/job/81/98/summary.html
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/461#issuecomment-347873986
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/461
Title: #461: responder: Fix talloc hierarchy in sized_output_name

fidencio commented:
"""
Ack! I'll add the accepted label after getting the results from our CI.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/461#issuecomment-347849459
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/410
Title: #410: IPA: sanitize name in override search filter - Backport to 
SSSD-1.13

fidencio commented:
"""
One thing that I have notice (with or without the patch) is that `getent group 
f...@ad.ff`, f...@ad.ff being an AD group from the trusted domain doesn't 
return me any results. I only can get some results after an `id 
any_user_who_s_part_of_foo_ad_ff_group`.

I guess this is not expected at all, or am I mistaken?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/410#issuecomment-347841071
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13

2017-11-29 Thread fidencio 
  URL: https://github.com/SSSD/sssd/pull/410
Title: #410: IPA: sanitize name in override search filter - Backport to 
SSSD-1.13

fidencio commented:
"""
I've tried to reproduce the very same issue using sssd-1.13.3-57.el6_9 and I 
simply can't. May it be related to the ipa version?

I'll give it another try using an el7 system with 1.13 branch installed.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/410#issuecomment-347840457
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#438][comment] krb5_child: Distinguish between expired & disabled AD user

2017-11-29 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/438
Title: #438: krb5_child: Distinguish between expired & disabled AD user

sumit-bose commented:
"""
Hi Lukas,

thank you for the patch. I will have a close look at the code later but I think 
the general approach is good.

I'm just wondering if we should enable it by default and add an option to 
switch to the plain libkrb5 call for environments where the master KDC lookup 
is really needed (and works)? What do you think?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/438#issuecomment-347840054
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#449][synchronized] cache: Check for max_id/min_id in cache_req

2017-11-29 Thread amitkumar50 
   URL: https://github.com/SSSD/sssd/pull/449
Author: amitkumar50
 Title: #449: cache: Check for max_id/min_id in cache_req
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/449/head:pr449
git checkout pr449
From d9ec950853e7a5b4a3ae5e19f66415520b324cf2 Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Tue, 14 Nov 2017 16:44:06 +0530
Subject: [PATCH] cache: Check for max_id/min_id in cache_req

The cache_req code doesn't check the min_id/max_id
boundaries for requests by ID.
Extending the .lookup_fn function in each plugin
that searches by ID for a check that returns 0
if the entry is out of the range.

Resolves: https://pagure.io/SSSD/sssd/issue/3569
---
 src/db/sysdb_ops.c |  1 -
 src/db/sysdb_search.c  |  1 -
 src/responder/common/cache_req/cache_req_private.h |  2 ++
 src/responder/common/cache_req/cache_req_search.c  |  5 +
 src/responder/common/cache_req/plugins/cache_req_common.c  | 10 ++
 src/responder/common/cache_req/plugins/cache_req_group_by_id.c |  1 +
 .../common/cache_req/plugins/cache_req_object_by_id.c  |  1 +
 src/responder/common/cache_req/plugins/cache_req_user_by_id.c  |  1 +
 src/util/util_errors.h |  1 +
 9 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 1539c41c9..a3c4c9033 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4909,7 +4909,6 @@ errno_t sysdb_search_object_by_id(TALLOC_CTX *mem_ctx,
 if (filter == NULL) {
 return ENOMEM;
 }
-
 ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, true, res);
 
 talloc_free(filter);
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 808396690..1806a614e 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -374,7 +374,6 @@ errno_t sysdb_getpwuid_with_views(TALLOC_CTX *mem_ctx,
 DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
 return ENOMEM;
 }
-
 /* If there are views we first have to search the overrides for matches */
 if (DOM_HAS_VIEWS(domain)) {
 ret = sysdb_search_user_override_by_uid(tmp_ctx, domain, uid,
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index 0f630542d..eb43a60ef 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -177,4 +177,6 @@ bool
 cache_req_common_dp_recv(struct tevent_req *subreq,
  struct cache_req *cr);
 
+errno_t cache_req_idminmax_check(struct cache_req_data *data,
+ struct sss_domain_info *domain);
 #endif /* _CACHE_REQ_PRIVATE_H_ */
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index 56d0345cd..6209c1a5b 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -202,6 +202,11 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
 "Object [%s] was not found in cache\n",
 cr->debugobj);
 break;
+case ERR_UID_OUTSIDE_RANGE:
+CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
+			"gid exceeds domain->minID "
+			"domain->maxID boundaries exceeded\n");
+break;
 default:
 CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
 "Unable to lookup [%s] in cache [%d]: %s\n",
diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index b80f310fe..3522f0bec 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -26,6 +26,16 @@
 #include "providers/data_provider.h"
 #include "responder/common/cache_req/cache_req_plugin.h"
 
+errno_t cache_req_idminmax_check(struct cache_req_data *data,
+	  struct sss_domain_info *domain)
+{
+   if ((domain->id_min && (data->id < domain->id_min)) ||
+   (domain->id_max && (data->id > domain->id_max))) {
+DEBUG(SSSDBG_FUNC_DATA, "gid exceeds min/max boundaries\n");
+return ERR_UID_OUTSIDE_RANGE;
+}
+}
+
 static struct ldb_message *
 cache_req_well_known_sid_msg(TALLOC_CTX *mem_ctx,
  const char *sid,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
index 5ca64283a..9e64e74bb 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
@@ -64,6 +64,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
  struct sss_domain_info