[SSSD] [sssd PR#449][+Changes requested] cache: Check for max_id/min_id in cache_req
URL: https://github.com/SSSD/sssd/pull/449 Title: #449: cache: Check for max_id/min_id in cache_req Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#449][-Changes requested] cache: Check for max_id/min_id in cache_req
URL: https://github.com/SSSD/sssd/pull/449 Title: #449: cache: Check for max_id/min_id in cache_req Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#449][comment] cache: Check for max_id/min_id in cache_req
URL: https://github.com/SSSD/sssd/pull/449 Title: #449: cache: Check for max_id/min_id in cache_req jhrozek commented: """ Removing changes requested since a new patch had arrived """ See the full comment at https://github.com/SSSD/sssd/pull/449#issuecomment-347890037 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#461][+Accepted] responder: Fix talloc hierarchy in sized_output_name
URL: https://github.com/SSSD/sssd/pull/461 Title: #461: responder: Fix talloc hierarchy in sized_output_name Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name
URL: https://github.com/SSSD/sssd/pull/461 Title: #461: responder: Fix talloc hierarchy in sized_output_name fidencio commented: """ I'm adding the "Accepted" label. Thanks for the patch and for the explanation of the issue (face-to-face, last week). I totally missed that when looking at the issue. """ See the full comment at https://github.com/SSSD/sssd/pull/461#issuecomment-347874199 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name
URL: https://github.com/SSSD/sssd/pull/461 Title: #461: responder: Fix talloc hierarchy in sized_output_name fidencio commented: """ I can see one failure in our internal CI: ``` ERROR: Command failed: # /usr/bin/systemd-nspawn -q -M 5b05f2b1276141ae922d65eae7807749 -D /var/lib/mock/fedora-27-x86_64/root -a --private-network --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/builddir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;\007" --setenv=PS1= \s-\v\$ --setenv=LANG=en_US.UTF-8 -u mockbuild bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/sssd.spec ``` This failure happened on f27 system but is not related to this patch at all. For all other systems, CI passed: http://vm-031.${abc}/logs/job/81/98/summary.html """ See the full comment at https://github.com/SSSD/sssd/pull/461#issuecomment-347873986 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#461][comment] responder: Fix talloc hierarchy in sized_output_name
URL: https://github.com/SSSD/sssd/pull/461 Title: #461: responder: Fix talloc hierarchy in sized_output_name fidencio commented: """ Ack! I'll add the accepted label after getting the results from our CI. """ See the full comment at https://github.com/SSSD/sssd/pull/461#issuecomment-347849459 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13
URL: https://github.com/SSSD/sssd/pull/410 Title: #410: IPA: sanitize name in override search filter - Backport to SSSD-1.13 fidencio commented: """ One thing that I have notice (with or without the patch) is that `getent group f...@ad.ff`, f...@ad.ff being an AD group from the trusted domain doesn't return me any results. I only can get some results after an `id any_user_who_s_part_of_foo_ad_ff_group`. I guess this is not expected at all, or am I mistaken? """ See the full comment at https://github.com/SSSD/sssd/pull/410#issuecomment-347841071 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13
URL: https://github.com/SSSD/sssd/pull/410 Title: #410: IPA: sanitize name in override search filter - Backport to SSSD-1.13 fidencio commented: """ I've tried to reproduce the very same issue using sssd-1.13.3-57.el6_9 and I simply can't. May it be related to the ipa version? I'll give it another try using an el7 system with 1.13 branch installed. """ See the full comment at https://github.com/SSSD/sssd/pull/410#issuecomment-347840457 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#438][comment] krb5_child: Distinguish between expired & disabled AD user
URL: https://github.com/SSSD/sssd/pull/438 Title: #438: krb5_child: Distinguish between expired & disabled AD user sumit-bose commented: """ Hi Lukas, thank you for the patch. I will have a close look at the code later but I think the general approach is good. I'm just wondering if we should enable it by default and add an option to switch to the plain libkrb5 call for environments where the master KDC lookup is really needed (and works)? What do you think? """ See the full comment at https://github.com/SSSD/sssd/pull/438#issuecomment-347840054 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#449][synchronized] cache: Check for max_id/min_id in cache_req
URL: https://github.com/SSSD/sssd/pull/449 Author: amitkumar50 Title: #449: cache: Check for max_id/min_id in cache_req Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/449/head:pr449 git checkout pr449 From d9ec950853e7a5b4a3ae5e19f66415520b324cf2 Mon Sep 17 00:00:00 2001 From: amitkumaDate: Tue, 14 Nov 2017 16:44:06 +0530 Subject: [PATCH] cache: Check for max_id/min_id in cache_req The cache_req code doesn't check the min_id/max_id boundaries for requests by ID. Extending the .lookup_fn function in each plugin that searches by ID for a check that returns 0 if the entry is out of the range. Resolves: https://pagure.io/SSSD/sssd/issue/3569 --- src/db/sysdb_ops.c | 1 - src/db/sysdb_search.c | 1 - src/responder/common/cache_req/cache_req_private.h | 2 ++ src/responder/common/cache_req/cache_req_search.c | 5 + src/responder/common/cache_req/plugins/cache_req_common.c | 10 ++ src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 1 + .../common/cache_req/plugins/cache_req_object_by_id.c | 1 + src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 1 + src/util/util_errors.h | 1 + 9 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 1539c41c9..a3c4c9033 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4909,7 +4909,6 @@ errno_t sysdb_search_object_by_id(TALLOC_CTX *mem_ctx, if (filter == NULL) { return ENOMEM; } - ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, true, res); talloc_free(filter); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 808396690..1806a614e 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -374,7 +374,6 @@ errno_t sysdb_getpwuid_with_views(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); return ENOMEM; } - /* If there are views we first have to search the overrides for matches */ if (DOM_HAS_VIEWS(domain)) { ret = sysdb_search_user_override_by_uid(tmp_ctx, domain, uid, diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h index 0f630542d..eb43a60ef 100644 --- a/src/responder/common/cache_req/cache_req_private.h +++ b/src/responder/common/cache_req/cache_req_private.h @@ -177,4 +177,6 @@ bool cache_req_common_dp_recv(struct tevent_req *subreq, struct cache_req *cr); +errno_t cache_req_idminmax_check(struct cache_req_data *data, + struct sss_domain_info *domain); #endif /* _CACHE_REQ_PRIVATE_H_ */ diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index 56d0345cd..6209c1a5b 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -202,6 +202,11 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx, "Object [%s] was not found in cache\n", cr->debugobj); break; +case ERR_UID_OUTSIDE_RANGE: +CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "gid exceeds domain->minID " + "domain->maxID boundaries exceeded\n"); +break; default: CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, "Unable to lookup [%s] in cache [%d]: %s\n", diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c index b80f310fe..3522f0bec 100644 --- a/src/responder/common/cache_req/plugins/cache_req_common.c +++ b/src/responder/common/cache_req/plugins/cache_req_common.c @@ -26,6 +26,16 @@ #include "providers/data_provider.h" #include "responder/common/cache_req/cache_req_plugin.h" +errno_t cache_req_idminmax_check(struct cache_req_data *data, + struct sss_domain_info *domain) +{ + if ((domain->id_min && (data->id < domain->id_min)) || + (domain->id_max && (data->id > domain->id_max))) { +DEBUG(SSSDBG_FUNC_DATA, "gid exceeds min/max boundaries\n"); +return ERR_UID_OUTSIDE_RANGE; +} +} + static struct ldb_message * cache_req_well_known_sid_msg(TALLOC_CTX *mem_ctx, const char *sid, diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c index 5ca64283a..9e64e74bb 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c @@ -64,6 +64,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, struct sss_domain_info