Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate

[Petr Cech]

On 07/17/2015 01:26 PM, Petr Cech wrote:

Hi,

I have read the wiki pages. And I have the edited version. It would be 
difficult to send the diff, so I started a new pages where you can 
view the result.


Original pages:
[ 1] https://fedorahosted.org/sssd/wiki/Contribute
[ 2] https://fedorahosted.org/sssd/wiki/DevelTips
[ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials
[ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
[ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle
[ 6] https://fedorahosted.org/sssd/wiki/Repositories

Content of [3] has been divided between [1] and [3], content of [5] 
has been divided between [1] and [4]. Then [3,5,6] will be deleted.


Test of new pages:
[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

Note that the links lead to the original pages.
At [7] you can find COPR Repository section, but I am not sure with 
text here. Please look at it.
I did not pass the whole wiki. I think there might be a link from [8] 
(perhaps [9]) on Troubleshooting.


I look forward to your comments, I need the opinions of another persons.

Petr


Hi,

a did some little edits according to talk with Jakub:
  * deleting Code Submission Process in Contribute
  * simplifying the structure of the headings in Contribute
  * adding link to tevent documentation in Devel tips
  * merging SSSD bug report
and we would like to move link to COPR repo to the homepage (and add 
note about Ubuntu package, is it right?)


So new version (without homepage and link to Ubuntu repo) is on the same 
place:

[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

On 08/05/2015 11:23 AM, Jakub Hrozek wrote:

B)
 While writing a patch Lukas noticed another similar logging messages

 [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for

 [LDAP][3][1][name=mof_user6]
 
 I investigated it. This is the same thing -- BE_REQ_*, but it is no longer
 in the provider, but in the responder. Can you please advise me where I
 could the function 'be_req2str' write?

I think you should move it to separate file, as you don't want to share more
code then necessary.
There are 2 possibilities where to have this file
a) in src/providers  - responders already link with some modules from this
folder, so I suppose it's viable

Yes, this is a bit of hierarchy violation, but in the end we need to
share the constants somehow. I think it's fine to keep the definite
version in the providers/dp_* hierarchy, because that's where the
interface is defined, the responder is a consumer.


There is new patch attached.

I think, that constants and const2str() functions should be in one 
place. I tried to suggest how we might share our constants. That's why I 
created a new header file in which we could move all the constants in 
the future.


I am open to discussion. I look forward to your views.

Petr
From 511224743e8d8e788e9701f0fb3db418ca12b506 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Tue, 18 Aug 2015 06:59:31 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]

Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am   |  5 +-
 src/providers/ad/ad_id.c  |  1 +
 src/providers/data_provider.h | 16 ---
 src/providers/data_provider_be.c  |  4 +-
 src/providers/data_provider_req.c | 68 +++
 src/providers/data_provider_req.h | 51 
 src/providers/ipa/ipa_id.c|  1 +
 src/providers/ipa/ipa_s2n_exop.c  |  1 +
 src/providers/ipa/ipa_subdomains_ext_groups.c |  1 +
 src/providers/ipa/ipa_subdomains_id.c |  1 +
 src/providers/ipa/ipa_views.c |  1 +
 src/providers/ldap/ldap_id.c  |  1 +
 src/providers/ldap/sdap_refresh.c |  1 +
 src/providers/ldap/sdap_sudo.c|  1 +
 src/providers/proxy/proxy_id.c|  1 +
 src/providers/simple/simple_access_check.c|  1 +
 src/responder/autofs/autofssrv_dp.c   |  1 +
 src/responder/common/responder_dp.c   |  5 +-
 src/responder/ssh/sshsrv_dp.c |  1 +
 src/responder/sudo/sudosrv_dp.c   |  1 +
 20 files changed, 143 insertions(+), 20 deletions(-)
 create mode 100644 src/providers/data_provider_req.c
 create mode 100644 src/providers/data_provider_req.h

diff --git a/Makefile.am b/Makefile.am
index ed107fd5dc76b768176a3d7236b0bf1c75f212bf..f71eb862ee935b2c6662678d7c20a12d2e62bf71 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -445,7 +445,8 @@ SSSD_RESPONDER_OBJ = \
 src/monitor/monitor_iface_generated.c \
 src/monitor/monitor_iface_generated.h \
 src/providers/data_provider_iface_generated.c \
-src/providers/data_provider_iface_generated.h
+src/providers/data_provider_iface_generated.h \
+src/providers/data_provider_req.c
 
 SSSD_TOOLS_OBJ = \
 src/tools/sss_sync_ops.c \
@@ -1191,6 +1192,7 @@ endif
 
 sssd_be_SOURCES = \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -1643,6 +1645,7 @@ simple_access_tests_SOURCES = \
 src/providers/simple/simple_access.c \
 src/providers/simple/simple_access_check.c \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 7a0c6eccd2d2f0d4f8a545a9d4873a9447179a00..c0d8218d46d20f59ef53520dd0c6793ce553773c 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -21,6 +21,7 @@
 */
 #include util/util.h
 #include util/strtonum.h
+#include providers/data_provider_req.h
 #include providers/ad/ad_common.h
 #include providers/ad/ad_id.h
 #include providers/ad/ad_domain_info.h
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 510c63ce41c99314ec8fcf11fffb2e66082e8951..fd4b6d3d7f66756aeb5b4dade3bfbb8953f5ddf1 100644
--- a/src/providers

Re: [SSSD] [PATCH] TESTS: Removing part of responder_cache_req-tests

[Petr Cech]

On 08/21/2015 02:35 PM, Michal Židek wrote:

Hi,

some of the tests you deleted are valid and
should not be deleted.

Only those tests that rely on time(NULL)
being the same as the time of request
creation are invalid. All those that test old
entries or nonexistent entries are OK.
See comments inline.

I agree.
Those tests have another logic. So I returned them back.
Petr
From 63defe03797a8a9038e49400089a732bd35efaca Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Fri, 21 Aug 2015 16:44:37 +0200
Subject: [PATCH] TESTS: Removing part of responder_cache_req-tests

If you call cache_req_[user|group]_by_filter_send() it than later calls
updated_[users|groups]_by_filter(), which adds filter that is called
recent. This filter causes that only [users|groups] added after the
request started are returned.

This patch removes tests which use
cache_req_[user|group]_by_filter_send(), because the logic of those
tests is corrupted. The tests create [users|groups] and after it, they
call cache_req_[user|group]_by_filter_send(). So it is obvious that it
is not in the right manner.

Possible fix is rewrite the tests to create the entries in the callback.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c |  211 ---
 1 files changed, 0 insertions(+), 211 deletions(-)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 032fe429ac88b8cc9113976329ea04837f287276..bc6e2dc8f86a8fa8dc322da10fff4883f075ec7d 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1710,54 +1710,6 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req)
 ctx-tctx-done = true;
 }
 
-void test_users_by_filter_valid(void **state)
-{
-struct cache_req_test_ctx *test_ctx = NULL;
-TALLOC_CTX *req_mem_ctx = NULL;
-struct tevent_req *req = NULL;
-const char *ldbname = NULL;
-errno_t ret;
-
-test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-test_ctx-create_user = true;
-
-ret = sysdb_store_user(test_ctx-tctx-dom, TEST_USER_NAME2, pwd, 1001, 1001,
-   NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, NULL,
-   NULL, 1000, time(NULL));
-assert_int_equal(ret, EOK);
-
-req_mem_ctx = talloc_new(global_talloc_context);
-check_leaks_push(req_mem_ctx);
-
-/* Filters always go to DP */
-will_return(__wrap_sss_dp_get_account_send, test_ctx);
-mock_account_recv_simple();
-
-req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx-tctx-ev,
-test_ctx-rctx,
-test_ctx-tctx-dom-name,
-test*);
-assert_non_null(req);
-tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx);
-
-ret = test_ev_loop(test_ctx-tctx);
-assert_int_equal(ret, ERR_OK);
-assert_true(check_leaks_pop(req_mem_ctx));
-
-assert_non_null(test_ctx-result);
-assert_int_equal(test_ctx-result-count, 2);
-
-ldbname = ldb_msg_find_attr_as_string(test_ctx-result-msgs[0],
-  SYSDB_NAME, NULL);
-assert_non_null(ldbname);
-assert_string_equal(ldbname, TEST_USER_NAME2);
-
-ldbname = ldb_msg_find_attr_as_string(test_ctx-result-msgs[1],
-  SYSDB_NAME, NULL);
-assert_non_null(ldbname);
-assert_string_equal(ldbname, TEST_USER_NAME);
-}
-
 void test_users_by_filter_filter_old(void **state)
 {
 struct cache_req_test_ctx *test_ctx = NULL;
@@ -1831,63 +1783,6 @@ void test_users_by_filter_notfound(void **state)
 assert_true(check_leaks_pop(req_mem_ctx));
 }
 
-static void test_users_by_filter_multiple_domains_valid(void **state)
-{
-struct cache_req_test_ctx *test_ctx = NULL;
-struct sss_domain_info *domain = NULL;
-TALLOC_CTX *req_mem_ctx = NULL;
-struct tevent_req *req = NULL;
-const char *ldbname = NULL;
-errno_t ret;
-
-test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
-domain = find_domain_by_name(test_ctx-tctx-dom,
- responder_cache_req_test_d, true);
-assert_non_null(domain);
-
-ret = sysdb_store_user(domain, TEST_USER_NAME, pwd, 1000, 1000,
-   NULL, NULL, NULL, cn=TEST_USER_NAME,dc=test, NULL,
-   NULL, 1000, time(NULL));
-assert_int_equal(ret, EOK);
-
-ret = sysdb_store_user(domain, TEST_USER_NAME2, pwd, 1001, 1001,
-   NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, NULL,
-   NULL, 1000, time(NULL));
-assert_int_equal(ret, EOK);
-
-req_mem_ctx = talloc_new(global_talloc_context);
-check_leaks_push(req_mem_ctx);
-
-/* Filters always go to DP */
-will_return(__wrap_sss_dp_get_account_send

Re: [SSSD] [PATCH] sssd: incorrect checks on length values during packet, decoding

[Petr Cech]

On 07/23/2015 02:44 PM, Michal Židek wrote:

Hi,

see the attached patch for ticket
https://fedorahosted.org/sssd/ticket/1697

I think this is a candidate to include in our
coding guidelines.


I agree. It is a candidate.

Thanks,
Michal



___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

I build it, tests are OK and CI is here:
http://sssd-ci.duckdns.org/logs/commit/4f/9768ec28a6327f4c865d4e7a5c547681f9a8af/2370/summary.html
(The failure is not connected to this patch.)

ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD]Re: Re: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

On 08/21/2015 01:08 PM, Pavel Reichl wrote:

Hello Petr,

make dict check fails:
/workspace/ci/label/rhel7/ci-build-debug/sssd-1.13.1/_inst/share/locale\ 
-g3 -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE 
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE 
-D_LARGEFILE64_SOURCE -c ../src/providers/ldap/ldap_id.c  -fPIC -DPIC 
-o src/providers/ldap/.libs/libsss_ldap_common_la-ldap_id.o
../src/providers/ldap/ldap_id.c:33:41: fatal error: 
providers/data_provider_req.h: No such file or directory

  #include providers/data_provider_req.h

you can fix this by something like:


Makefile.am
@@ -584,6 +584,7 @@ dist_noinst_HEADERS = \
 src/confdb/confdb_private.h \
 src/confdb/confdb_setup.h \
 src/providers/data_provider.h \
+src/providers/data_provider_req.h \


I think that data_provider_req.h should be included in 
data_provider.h, you could save a lot of changes in source files that 
require both of them. 

Thanks.
There is repaired patch attached.
Petr
From 7f154378f56a01ca65bfeba9985c605214d628b8 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Tue, 18 Aug 2015 06:59:31 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]

Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am |  6 +++-
 src/providers/data_provider.h   | 17 +-
 src/providers/data_provider_be.c|  3 +-
 src/providers/data_provider_req.c   | 68 +
 src/providers/data_provider_req.h   | 51 
 src/responder/common/responder_dp.c |  4 +--
 6 files changed, 129 insertions(+), 20 deletions(-)
 create mode 100644 src/providers/data_provider_req.c
 create mode 100644 src/providers/data_provider_req.h

diff --git a/Makefile.am b/Makefile.am
index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \
 src/monitor/monitor_iface_generated.c \
 src/monitor/monitor_iface_generated.h \
 src/providers/data_provider_iface_generated.c \
-src/providers/data_provider_iface_generated.h
+src/providers/data_provider_iface_generated.h \
+src/providers/data_provider_req.c
 
 SSSD_TOOLS_OBJ = \
 src/tools/sss_sync_ops.c \
@@ -583,6 +584,7 @@ dist_noinst_HEADERS = \
 src/confdb/confdb_private.h \
 src/confdb/confdb_setup.h \
 src/providers/data_provider.h \
+src/providers/data_provider_req.h \
 src/providers/dp_backend.h \
 src/providers/dp_dyndns.h \
 src/providers/dp_ptask_private.h \
@@ -1193,6 +1195,7 @@ endif
 
 sssd_be_SOURCES = \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \
 src/providers/simple/simple_access.c \
 src/providers/simple/simple_access_check.c \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -43,6 +43,7 @@
 #include sbus/sbus_client.h
 #include sss_client/sss_cli.h
 #include util/authtok.h
+#include providers/data_provider_req.h
 #include providers/data_provider_iface_generated.h
 
 #define DATA_PROVIDER_VERSION 0x0001
@@ -131,22 +132,6 @@
 #define BE_FILTER_CERT 6
 #define BE_FILTER_WILDCARD 7
 
-#define BE_REQ_USER  0x0001
-#define BE_REQ_GROUP 0x0002
-#define BE_REQ_INITGROUPS0x0003
-#define BE_REQ_NETGROUP  0x0004
-#define BE_REQ_SERVICES  0x0005
-#define BE_REQ_SUDO_FULL 0x0006
-#define BE_REQ_SUDO_RULES0x0007
-#define BE_REQ_AUTOFS0x0009
-#define BE_REQ_HOST  0x0010
-#define BE_REQ_BY_SECID  0x0011
-#define BE_REQ_USER_AND_GROUP 0x0012
-#define BE_REQ_BY_UUID   0x0013
-#define BE_REQ_BY_CERT   0x0014
-#define BE_REQ_TYPE_MASK 0x00FF
-#define BE_REQ_FAST  0x1000
-
 #define DP_SEC_ID secid
 #define DP_CERT cert
 /* sizeof() counts the trailing \0 so we must substract 1 for the string
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index d147630248f0a24f5a632760b55b9284a6928e40

Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

On 08/21/2015 05:10 PM, Pavel Reichl wrote:

Petr can you change data_provider_req.c to include

providers/data_provider_req.h

instead of

providers/data_provider.h ?

I originally thought that you will be able to include solely 
data_provider_req.h from responder_dp.c but I see that data_provider.h 
is required. But I still don't mind introducing data_provider_req.h.


If you change this little nitpick I think I can ACK the patch.

Pavel,
you're right, that's mine main opinion to this issue. I am sorry, I need 
more focus and coffe.

There is fixed (not repaired) patch.
Petr
From aebda5def026d7a0fc40c4034ef18ba97ada5f36 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Tue, 18 Aug 2015 06:59:31 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]

Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am |  6 +++-
 src/providers/data_provider.h   | 17 +-
 src/providers/data_provider_be.c|  3 +-
 src/providers/data_provider_req.c   | 68 +
 src/providers/data_provider_req.h   | 51 
 src/responder/common/responder_dp.c |  4 +--
 6 files changed, 129 insertions(+), 20 deletions(-)
 create mode 100644 src/providers/data_provider_req.c
 create mode 100644 src/providers/data_provider_req.h

diff --git a/Makefile.am b/Makefile.am
index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \
 src/monitor/monitor_iface_generated.c \
 src/monitor/monitor_iface_generated.h \
 src/providers/data_provider_iface_generated.c \
-src/providers/data_provider_iface_generated.h
+src/providers/data_provider_iface_generated.h \
+src/providers/data_provider_req.c
 
 SSSD_TOOLS_OBJ = \
 src/tools/sss_sync_ops.c \
@@ -583,6 +584,7 @@ dist_noinst_HEADERS = \
 src/confdb/confdb_private.h \
 src/confdb/confdb_setup.h \
 src/providers/data_provider.h \
+src/providers/data_provider_req.h \
 src/providers/dp_backend.h \
 src/providers/dp_dyndns.h \
 src/providers/dp_ptask_private.h \
@@ -1193,6 +1195,7 @@ endif
 
 sssd_be_SOURCES = \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \
 src/providers/simple/simple_access.c \
 src/providers/simple/simple_access_check.c \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -43,6 +43,7 @@
 #include sbus/sbus_client.h
 #include sss_client/sss_cli.h
 #include util/authtok.h
+#include providers/data_provider_req.h
 #include providers/data_provider_iface_generated.h
 
 #define DATA_PROVIDER_VERSION 0x0001
@@ -131,22 +132,6 @@
 #define BE_FILTER_CERT 6
 #define BE_FILTER_WILDCARD 7
 
-#define BE_REQ_USER  0x0001
-#define BE_REQ_GROUP 0x0002
-#define BE_REQ_INITGROUPS0x0003
-#define BE_REQ_NETGROUP  0x0004
-#define BE_REQ_SERVICES  0x0005
-#define BE_REQ_SUDO_FULL 0x0006
-#define BE_REQ_SUDO_RULES0x0007
-#define BE_REQ_AUTOFS0x0009
-#define BE_REQ_HOST  0x0010
-#define BE_REQ_BY_SECID  0x0011
-#define BE_REQ_USER_AND_GROUP 0x0012
-#define BE_REQ_BY_UUID   0x0013
-#define BE_REQ_BY_CERT   0x0014
-#define BE_REQ_TYPE_MASK 0x00FF
-#define BE_REQ_FAST  0x1000
-
 #define DP_SEC_ID secid
 #define DP_CERT cert
 /* sizeof() counts the trailing \0 so we must substract 1 for the string
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index d147630248f0a24f5a632760b55b9284a6928e40..d71a69cb8e2997975828236998ec0b0e3f353f07 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -1104,7 +1104,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data)
 return EOK; /* handled */
 
 DEBUG(SSSDBG_FUNC_DATA,
-  Got request for [%#x][%d][%s]\n, type, attr_type, filter);
+  Got request for [%#x][%s][%d][%s]\n, type, be_req2str

[SSSD]Re: Re: [PATCH] TESTS: ldap_id_cleanup timeouts

[Petr Cech]

On 08/21/2015 01:33 PM, Michal Židek wrote:

On 08/20/2015 01:50 PM, Petr Cech wrote:

On 08/19/2015 08:26 PM, Michal Židek wrote:

Hi!

This is another patch to avoid failing tests
in the CI (make-check-valgrind). This time
the ldap_id_cleanup tests.

Looks like the one second cache timeout was too short
and the tests sometimes failed because they expected the
entries to be still valid for a short while
after they were added to sysdb.

I saw the failures only on Fedora 20 CI machine.

See the attached patch.

Michal

Hi,
I just run your patch on my F22 VM and I see some trouble here... see
attachment.
Petr
PS: I used clean GIT and your patch, nothing else. I know that this
problem is another then you solved. But it is still issue.



I just saw 2 more fails in the CI because of the short
cache timeout. The problem you see, as you said as well,
is a different one and I agree it should be solved as
well but so far we were able to reproduce it on your
computer only and I did not see fails in the CI because of
that problem. I would suggest pushing this patch (if you
ACK it that is) to fix CI and look at the problem you
found later.

Michal


OK, I agree.

There is new ticket about the mentioned bug:
https://fedorahosted.org/sssd/ticket/2768

And there are CI tests:
http://sssd-ci.duckdns.org/logs/job/23/57/summary.html
(The failing is not connected to this patch.)

ACK

Petr

Re: [SSSD] [PATCH] TESTS: ldap_id_cleanup timeouts

[Petr Cech]

On 08/19/2015 08:26 PM, Michal Židek wrote:

Hi!

This is another patch to avoid failing tests
in the CI (make-check-valgrind). This time
the ldap_id_cleanup tests.

Looks like the one second cache timeout was too short
and the tests sometimes failed because they expected the
entries to be still valid for a short while
after they were added to sysdb.

I saw the failures only on Fedora 20 CI machine.

See the attached patch.

Michal 

Hi,
I just run your patch on my F22 VM and I see some trouble here... see 
attachment.

Petr
PS: I used clean GIT and your patch, nothing else. I know that this 
problem is another then you solved. But it is still issue.
(Thu Aug 20 07:40:49:577840 2015) [sssd] [test_multidom_suite_cleanup] 
(0x0020): Could not delete the test config ldb file [20]: (Not a directory)
(Thu Aug 20 07:40:49:577887 2015) [sssd] [test_multidom_suite_cleanup] 
(0x0020): Could not delete the test domain ldb file [20]: (Not a directory)
(Thu Aug 20 07:40:49:577899 2015) [sssd] [test_multidom_suite_cleanup] 
(0x0020): Could not delete the test dir (20) (Not a directory)
[==] Running 1 test(s).
[ RUN  ] test_id_cleanup_exp_group
(Thu Aug 20 07:40:49:578773 2015) [sssd] [ldb] (0x0020): Unable to open tdb 
'test_ldap_id_cleanup/tests_conf.ldb': Not a directory
(Thu Aug 20 07:40:49:578786 2015) [sssd] [ldb] (0x0020): Failed to connect to 
'test_ldap_id_cleanup/tests_conf.ldb' with backend 'tdb': Unable to open tdb 
'test_ldap_id_cleanup/tests_conf.ldb': Not a directory
(Thu Aug 20 07:40:49:578791 2015) [sssd] [confdb_init] (0x0010): Unable to open 
config database [test_ldap_id_cleanup/tests_conf.ldb]
Could not run the test - check test fixtures
[  ERROR   ] test_id_cleanup_exp_group
[==] 1 test(s) run.
[  PASSED  ] 0 test(s).
FAIL test_ldap_id_cleanup (exit status: 1)
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

On 08/13/2015 11:11 AM, Lukas Slebodnik wrote:

From a93e36f11759cf9a748942e7632d4a07a088b098 Mon Sep 17 00:00:00 2001

From: Petr Cech pc...@redhat.com
Date: Wed, 8 Jul 2015 07:17:28 -0400
Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command

Improvement of debug messages.
Instead of:(0x0400): Running command [17]...
We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]...
(It's not used in sss_client. There are only hex numbers of commands.)

Resolves:
https://fedorahosted.org/sssd/ticket/2708

The patch does not apply to master.
I had to use tree way merge.
Please rebase it.

Rebased.

---
Makefile.am  |   3 +-
src/providers/dp_pam_data_util.c |  27 +
src/responder/nss/nsssrv_cmd.c   |  30 ++---
src/sss_client/pam_sss.c |   6 +-
src/tools/tools_mc_util.c|   4 +-
src/util/sss_cli_cmd.c   | 238 +++
src/util/sss_cli_cmd.h   |  28 +
7 files changed, 293 insertions(+), 43 deletions(-)
create mode 100644 src/util/sss_cli_cmd.c
create mode 100644 src/util/sss_cli_cmd.h

diff --git a/Makefile.am b/Makefile.am
index 
b8cbc6df23ded1edb945a709b6dbe1c44eb54017..430f2292a1be9e0f0b7cb56e8ecbf179e9978dcd
 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -678,7 +678,8 @@ endif
pkglib_LTLIBRARIES += libsss_debug.la
libsss_debug_la_SOURCES = \
 src/util/debug.c \
-src/util/sss_log.c
+src/util/sss_log.c \
+src/util/sss_cli_cmd.c

We decided to add $NULL at the end of list so in future
you will not need to change two lines if you add new file.

$NULL added.



libsss_debug_la_LIBADD = \
 $(SYSLOG_LIBS)
libsss_debug_la_LDFLAGS = \
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 
0129467302f16af3180a5be47ff2e235da65..d37a13820ef857fcf43efba3fb07535c4b6eb509
 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1656,7 +1656,7 @@ static int pam_sss(enum sss_cli_command task, 
pam_handle_t *pamh,
 case SSS_PAM_CLOSE_SESSION:
 break;
 default:
-D((Illegal task [%d], task));
+D((Illegal task [%#x],task));

   ^
 There was a space before change.
 Could you return it back.

Returned.

 return PAM_SYSTEM_ERR;
 }
diff --git a/src/util/sss_cli_cmd.c b/src/util/sss_cli_cmd.c
new file mode 100644
index 
..97b967b4014193dc8f7571e5fe821523d469f201
--- /dev/null
+++ b/src/util/sss_cli_cmd.c
@@ -0,0 +1,238 @@
+/*
+   SSSD - cmd2str util
+
+   Copyright (C) Petr Cech pc...@redhat.com 2015
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see http://www.gnu.org/licenses/.
+*/
+
+#include sss_client/sss_cli.h
+#include util/sss_cli_cmd.h
+#include util/util.h
+
+const char *sss_cmd2str(enum sss_cli_command cmd)
+{

//snip


+
+#if 0
+/* shadow */
+case SSS_NSS_GETSPNAM:
+return SSS_NSS_GETSPNAM;
+case SSS_NSS_GETSPUID:
+return SSS_NSS_GETSPUID;
+case SSS_NSS_SETSPENT:
+return SSS_NSS_SETSPENT;
+case SSS_NSS_GETSPENT:
+return SSS_NSS_GETSPENT;
+case SSS_NSS_ENDSPENT:
+return SSS_NSS_ENDSPENT;
+#endif

I think it's better to be consistent with header file
and we can have unused options here.
But it's better to do not add spaces before '#'

I saw a patter in some header files that spaces was added
after this character.
Something like

#if defined __GNUC__
# if defined __NO_INLINE__
#  define HAVE_INLINE 0
# else
#  define HAVE_INLINE 1
#  ifndef inline
#   define inline __inline__
#  endif
# endif
#elif defined __cplusplus

Please remove indentation for #if and #endif
in whole file.

Removed.



+
+/* SUDO */
+case SSS_SUDO_GET_SUDORULES:
+return SSS_SUDO_GET_SUDORULES;
+case SSS_SUDO_GET_DEFAULTS:
+return SSS_SUDO_GET_DEFAULTS;
+

//snip

+
+/* ID-SID mapping calls */
+case SSS_NSS_GETSIDBYNAME:
+return SSS_NSS_GETSIDBYNAME;
+case SSS_NSS_GETSIDBYID:
+return SSS_NSS_GETSIDBYID;
+case SSS_NSS_GETNAMEBYSID:
+return SSS_NSS_GETNAMEBYSID;
+case SSS_NSS_GETIDBYSID:
+return SSS_NSS_GETIDBYSID;
+case SSS_NSS_GETORIGBYNAME:
+return SSS_NSS_GETORIGBYNAME;
+default:
+DEBUG

Re: [SSSD] [WIP] [TEST]: Observation patch

[Petr Cech]

On 08/17/2015 08:52 AM, Lukas Slebodnik wrote:

From c871c97862997df4e724647f1a0ce7297f2f059b Mon Sep 17 00:00:00 2001

From: Petr Cechpc...@redhat.com
Date: Fri, 14 Aug 2015 13:17:22 +0200
Subject: [PATCH] TEST: Fix for responder_cache_req-tests

Tests, that do not pass, have a problem with time. Time for writing
records into database varied from time of creating a request,  that is
used for filtering records internally.

The patch modifies the time of creation record (adds one second to
now()), so it should not be different times there.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
src/tests/cmocka/test_responder_cache_req.c |   18 --
1 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/tests/cmocka/test_responder_cache_req.c 
b/src/tests/cmocka/test_responder_cache_req.c
index 
032fe429ac88b8cc9113976329ea04837f287276..4f77fe767e016496652a97c7a73fc9e29ba7faf0 
100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1721,9 +1721,10 @@ void test_users_by_filter_valid(void **state)
 test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
 test_ctx-create_user = true;

+/* set (time+1) to avoid failure request time filter */
 ret = sysdb_store_user(test_ctx-tctx-dom, TEST_USER_NAME2, pwd, 1001, 
1001,
NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, 
NULL,
-   NULL, 1000, time(NULL));
+   NULL, 1000, time(NULL)+1);
 assert_int_equal(ret, EOK);

Although, this patch fix intermitent failures
there are few problems.

The protopype of function sysdb_store_user is:
/* this function does not check that all user members are actually present */

/* if one of the basic attributes is empty () as opposed to NULL,
  * this will just remove it */

int sysdb_store_user(struct sss_domain_info *domain,
  const char *name,
  const char *pwd,
  uid_t uid, gid_t gid,
  const char *gecos,
  const char *homedir,
  const char *shell,
  const char *orig_dn,
  struct sysdb_attrs *attrs,
  char **remove_attrs,
  uint64_t cache_timeout,
  time_t now);


and if now is 0 then we will get the current time.
1912 /* get transaction timestamp */
1913 if (!now) {
1914 now = time(NULL);
1915 }

I do not understand why we shoudl set current time (now)
to future time(NULL)+1. I didn't check it properly, but
if now is used as transaction timestamp (according to comment)
it should not be from futire.

LS

The initial value was time(now) and it could be simply 0, I agree with that.
(I've tried time(now) - 0, but unfortunately it was not enough. The 
problem is elsewhere.)


The problem is reading the data. There is a filter from a certain time, 
internally used time is set to time of creating request for reading 
data. But this request is creating after inserting data. Therefore, you 
can insert a timestamp data and timestamp of request creation vary, 
especially if the machine is busy.


Completely correct solution (meaning clear) would be create a request to 
read data in the beginning of the test, then insert data and then try to 
read it. I tried this, I had complication with mock then.


Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [PATCH] BUILD: Repair dependecies on deprecated libraries

[Petr Cech]

Hi,

this is a patch to
https://fedorahosted.org/sssd/ticket/2733

This issue is caused by the change of packaging in libsystemd
They said:
We merged libsystemd-journal.so, libsystemd-id128.so, libsystemd-login
and libsystemd-daemon into a a single libsystemd.so to reduce code
duplication and avoid cyclic dependencies (see below). The new library
exports the same symbols as the old libraries, however with a different
symbol version.
More is available here:
http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html

So, the solution is checking the version of systemd and deciding which 
library we can use. More details in patch.


Thanks.

Petr

PS: Thanks to lslebodn :-)
PPS: There are CI tests too
http://sssd-ci.duckdns.org/logs/commit/bf/8f8703d47abf01d5f1a5f683c2fc1ee572350c/1965/summary.html
From fcf895ad8df932403dfc554a34ff0d8ceac72785 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Mon, 27 Jul 2015 12:52:49 -0400
Subject: [PATCH] BUILD: Repair dependecies on deprecated libraries

From systemd version 209 up, there are no modules -login
and -journal. M4 macro can switch the libraries due to
systemd version.

Resolves:
https://fedorahosted.org/sssd/ticket/2733
---
 contrib/ci/deps.sh  |  2 +-
 src/external/systemd.m4 | 24 +---
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 74401f8328cdcc6f80afa9f7408ef9e9ce890df7..22b7276ebdb8e3ba5e1e34334adbe310cbff8bad 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -92,7 +92,7 @@ if [[ $DISTRO_BRANCH == -debian-* ]]; then
 libselinux1-dev
 libsemanage1-dev
 libsmbclient-dev
-libsystemd-journal-dev
+libsystemd-dev
 libtalloc-dev
 libtdb-dev
 libtevent-dev
diff --git a/src/external/systemd.m4 b/src/external/systemd.m4
index dbced0d66aa19e064f998648675a5a9c080eaab8..ddc79e465fd53618c5f90341a96461b92c8528b1 100644
--- a/src/external/systemd.m4
+++ b/src/external/systemd.m4
@@ -1,23 +1,33 @@
+dnl There are no module libsystemd-journal and libsystem-login
+dnl up systemd version 209
+PKG_CHECK_EXISTS(systemd = 209, [HAVE_SYSTEMD_NEW=yes], [HAVE_SYSTEMD_NEW=no])
+
 dnl A macro to check presence of systemd on the system
 AC_DEFUN([AM_CHECK_SYSTEMD],
 [
 PKG_CHECK_EXISTS(systemd,
  [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
- [AC_MSG_ERROR([Could not detect systemd presence])]
-)
+ [AC_MSG_ERROR([Could not detect systemd presence])])
 ])
 
+AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, login_lib_name=libsystemd,
+  login_lib_name=libsystemd-login)
+
 AM_COND_IF([HAVE_SYSTEMD],
-   [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login],
-[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with libsystemdlogin support])],
+   [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
+[$login_lib_name],
+[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1,
+[Build with libsystemdlogin support])],
 [AC_MSG_NOTICE([Build without libsystemd-login support])])])
 
 dnl A macro to check presence of journald on the system
 AC_DEFUN([AM_CHECK_JOURNALD],
 [
-   PKG_CHECK_MODULES(JOURNALD,
- libsystemd-journal,
- [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is available])])
+AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, journal_lib_name=libsystemd,
+  journal_lib_name=libsystemd-journal)
+   PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name],
+ [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1,
+ [journald is available])])
dnl Some older versions of pkg-config might not set these automatically
dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
AC_SUBST([JOURNALD_CFLAGS])
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] BUILD: Repair dependecies on deprecated libraries

[Petr Cech]

On 07/28/2015 01:34 PM, Lukas Slebodnik wrote:

On (28/07/15 11:58), Petr Cech wrote:
From fcf895ad8df932403dfc554a34ff0d8ceac72785 Mon Sep 17 00:00:00 2001

From: Petr Cech pc...@redhat.com
Date: Mon, 27 Jul 2015 12:52:49 -0400
Subject: [PATCH] BUILD: Repair dependecies on deprecated libraries


From systemd version 209 up, there are no modules -login

and -journal. M4 macro can switch the libraries due to
systemd version.

Resolves:
https://fedorahosted.org/sssd/ticket/2733
---
contrib/ci/deps.sh  |  2 +-
src/external/systemd.m4 | 24 +---
2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 
74401f8328cdcc6f80afa9f7408ef9e9ce890df7..22b7276ebdb8e3ba5e1e34334adbe310cbff8bad
 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -92,7 +92,7 @@ if [[ $DISTRO_BRANCH == -debian-* ]]; then
 libselinux1-dev
 libsemanage1-dev
 libsmbclient-dev
-libsystemd-journal-dev
+libsystemd-dev
 libtalloc-dev
 libtdb-dev
 libtevent-dev
diff --git a/src/external/systemd.m4 b/src/external/systemd.m4
index 
dbced0d66aa19e064f998648675a5a9c080eaab8..ddc79e465fd53618c5f90341a96461b92c8528b1
 100644
--- a/src/external/systemd.m4
+++ b/src/external/systemd.m4
@@ -1,23 +1,33 @@
+dnl There are no module libsystemd-journal and libsystem-login
+dnl up systemd version 209

I think better comment would be to say that libsystemd-journal and
libsystem-login  ... are deprecated and libsystemd should be used
instead of them.

http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html


+PKG_CHECK_EXISTS(systemd = 209, [HAVE_SYSTEMD_NEW=yes], [HAVE_SYSTEMD_NEW=no])
+
dnl A macro to check presence of systemd on the system
AC_DEFUN([AM_CHECK_SYSTEMD],
[
 PKG_CHECK_EXISTS(systemd,
  [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
- [AC_MSG_ERROR([Could not detect systemd presence])]
-)
+ [AC_MSG_ERROR([Could not detect systemd presence])])
])

+AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, login_lib_name=libsystemd,


 I know I recommended that name to you but development in systemd
 is quite rapid. So in future we might need another variable
 HAVE_SYSTEMD_NEWER.

So it migth be better to test an availability of library libsystemd.
It was introduced in systemd 209  and is not available on rhel 7.{0,1}

Something like
  PKG_CHECK_EXISTS([libsystemd],
   [HAVE_LIBSYSTEMD=yes],
   [HAVE_LIBSYSTEMD=no])
instead of 1st line in file.


+  login_lib_name=libsystemd-login)
+

the square brackets are user on other places with macro AS_IF
src/external/intgcheck.m4:AS_IF([test -n $PYTEST], [HAVE_PYTEST=yes], 
[HAVE_PYTEST=no])

src/external/ldap.m4:AS_IF([test -n $SLAPD], [HAVE_SLAPD=yes], 
[HAVE_SLAPD=no])

src/external/libcmocka.m4:AS_IF([test x$cmocka_required_headers != 
xno],
src/external/libcmocka.m4-  [PKG_CHECK_MODULES([CMOCKA], [cmocka], 
[have_cmocka=yes])]


AM_COND_IF([HAVE_SYSTEMD],
-   [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login],
-[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with 
libsystemdlogin support])],
+   [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
+[$login_lib_name],
+[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1,
+[Build with libsystemdlogin support])],
 [AC_MSG_NOTICE([Build without libsystemd-login support])])])

   I would add at least 4 spaces here instead of 1.
   So it will be clear that the code belongs to PKG_CHECK_MODULES
   and not to the AM_COND_IF

dnl A macro to check presence of journald on the system
AC_DEFUN([AM_CHECK_JOURNALD],
[
-   PKG_CHECK_MODULES(JOURNALD,
- libsystemd-journal,
- [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is 
available])])
+AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, journal_lib_name=libsystemd,
+  journal_lib_name=libsystemd-journal)

We do not have the same indentation in autotools code. We do not have a rules
or coding style. So its safe to use the same indentation as code around.


+   PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name],
+ [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1,
+ [journald is available])])
dnl Some older versions of pkg-config might not set these automatically
dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
AC_SUBST([JOURNALD_CFLAGS])
--
2.4.3


LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Thanks. There is a patch version 2.
And CI:
http://sssd-ci.duckdns.org/logs/commit/75

Re: [SSSD] [PATCH] SDAP: rename SDAP_CACHE_PURGE_TIMEOUT

[Petr Cech]

On 07/29/2015 08:51 PM, Jakub Hrozek wrote:

On Wed, Jul 29, 2015 at 10:19:33AM +0200, Pavel Reichl wrote:

Hello, please see trivial patch attached.

While I was investigating case I found that to access value of
'ldap_purge_cache_timeout'  option I need to use enum value
SDAP_CACHE_PURGE_TIMEOUT. I consider this to be a bad name (swap of cache
and purge) as I took me additional time to find this out. I think that
proposed name is better.

Unless somebody feels strongly against the patch I think it could be
reviewed by our new colleague.

Yes, I assigned the review to Petr.


Thanks!

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Hi,
I went through the code, the replacement was done consistently everywhere.
I built it successfully.
CI tests:
http://sssd-ci.duckdns.org/logs/commit/0e/84d48733ed84948e52d62e9f7ca6f40dd7366c/1995/summary.html
(Failing is not relevant to the patch.)
= ACK
Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SPEC: Update spec file for krb5_local_auth_plugin

[Petr Cech]

On 07/24/2015 09:46 AM, Lukas Slebodnik wrote:

ehlo,

patch is attached.

LS

0001-SPEC-Update-spec-file-for-krb5_local_auth_plugin.patch


 From 9474dfc64cbd73ab25bf12660f6b55e5563fe14c Mon Sep 17 00:00:00 2001
From: Lukas Slebodniklsleb...@redhat.com
Date: Fri, 24 Jul 2015 09:24:31 +0200
Subject: [PATCH] SPEC: Update spec file for krb5_local_auth_plugin

krb5_localauth_plugin could be build only with MIT kerberos = 1.12.
However, this feature was backported in downstream to older version
of kerberos. So there were packaging failures

error: Installed (but unpackaged) file(s) found:
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
RPM build errors:
 Installed (but unpackaged) file(s) found:
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
---
  contrib/sssd.spec.in | 7 ++-
  1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 
15f7c582cba1b9052e180596625be7dd5749599f..cb3aab78616c6c8f9442fbf3d0944d4d140ff549
 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1,3 +1,4 @@
+%global rhel6_minor %(%{__grep} -o 6.[0-9]* /etc/redhat-release |%{__sed} -s 
's/6.//')
  %global rhel7_minor %(%{__grep} -o 7.[0-9]* /etc/redhat-release |%{__sed} 
-s 's/7.//')
  
  %if 0%{?rhel}  0%{?rhel} = 6

@@ -41,7 +42,7 @@
  %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
  %endif
  
-%if (0%{?fedora} = 21 || (0%{?rhel} == 7   0%{?rhel7_minor} = 1))

+%if (0%{?fedora} || (0%{?rhel} == 7   0%{?rhel7_minor} = 1) || (0%{?rhel} == 6 
  0%{?rhel6_minor} = 7))
  %global with_krb5_localauth_plugin 1
  %endif
  
@@ -112,11 +113,7 @@ BuildRequires: pcre-devel

  BuildRequires: libxslt
  BuildRequires: libxml2
  BuildRequires: docbook-style-xsl
-%if (0%{?with_krb5_localauth_plugin} == 1)
-BuildRequires: krb5-devel = 1.12
-%else
  BuildRequires: krb5-devel
-%endif
  BuildRequires: c-ares-devel
  BuildRequires: python-devel
  %if (0%{?with_python3} == 1)
-- 2.4.3



Hi,
I looked at the patch and successfully built rpm on RHEL 6.6 and 6.7 
(and on Fedora 22). Then I used CI, result is there

http://sssd-ci.duckdns.org/logs/commit/7c/fbe0ff1743a1939c8066175f1634842c58de66/1977/summary.html
It is look good for me. So -- if nobody has comments -- ACK.
Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] IFP: use default limit if provided is 0

[Petr Cech]

On 08/13/2015 12:48 PM, Pavel Březina wrote:

 From eef083f774988fe8e6b6a5a8513a163fd7558b55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?=pbrez...@redhat.com
Date: Thu, 13 Aug 2015 12:46:59 +0200
Subject: [PATCH] IFP: use default limit if provided is 0

Hi,

CI: http://sssd-ci.duckdns.org/logs/job/21/49/summary.html
I compiled it, ran it and it worked.

ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

ping :-)
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [WIP] [TEST]: Observation patch

[Petr Cech]

Hi,

I have explored in detail why the test responder_cache_req-tests failed 
so often. I created a new VM with RHEL 6.7.



OBSERVATION:

How we know, CI machines are under pressure, so I wrote simple 
cpu_braker, see [1]. I ran the tests 50 times with cpu_braker (average 
load  2.60, only 1 CPU).

Results:

[ RUN  ] test_users_by_filter_multiple_domains_valid
0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:1875: error: Failure!

[ RUN  ] test_users_by_filter_multiple_domains_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1879: error: Failure!

[ RUN  ] test_groups_by_filter_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1972: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:2051: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:2055: error: Failure!

These errors say they failed to retrieve data from the cache. Tests 
inserts two test values into the cache at the beginning of their run, 
and then tries to pull it back. And sometime if they are under pressure, 
they fail.


For a more detailed explanation, I added some printf(). I ran the test 
25 times.

The results:

[ RUN  ] test_users_by_filter_valid
 ... sysdb_store_user at [1439384336] (src/db/sysdb_ops.c:1882)
 ... cache_req_input_create at [1439384337] 
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439384337)] 
(src/responder/common/responder_cache_req.c:44)

 ... sysdb_store_user at [1439384337] (src/db/sysdb_ops.c:1882)
 ... recent_filter = [(lastUpdate=1439384337)] 
(src/responder/common/responder_cache_req.c:44)

0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1748: error: Failure!

[ RUN  ] test_users_by_filter_multiple_domains_valid
 ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882)
 ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882)
 ... cache_req_input_create at [1439384175] 
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439384175)] 
(src/responder/common/responder_cache_req.c:44)
 ... recent_filter = [(lastUpdate=1439384175)] 
(src/responder/common/responder_cache_req.c:44)

0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:1874: error: Failure!

[ RUN  ] test_groups_by_filter_valid
 ... sysdb_store_group at [1439385276] (src/db/sysdb_ops.c:2042)
 ... cache_req_input_create at [1439385277] 
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439385277)] 
(src/responder/common/responder_cache_req.c:67)

 ... sysdb_store_group at [1439385277] (src/db/sysdb_ops.c:2042)
 ... recent_filter = [(lastUpdate=1439385277)] 
(src/responder/common/responder_cache_req.c:67)

0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1971: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
 ... sysdb_store_group at [1439385286] (src/db/sysdb_ops.c:2042)
 ... sysdb_store_group at [1439385287] (src/db/sysdb_ops.c:2042)
 ... cache_req_input_create at [1439385287] 
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439385287)] 
(src/responder/common/responder_cache_req.c:67)
 ... recent_filter = [(lastUpdate=1439385287)] 
(src/responder/common/responder_cache_req.c:67)

0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:2054: error: Failure!

As we can see, we have discovered a new failing test 
test_users_by_filter_valid.


REPRODUCER:

Use cpu_braker [1] and observation patch [2] and try some iterations...
# for i in {1..50} ; do ./responder_cache_req-tests ; done


SOLUTION?

The problem is caused by trying to retrieve records from the cache, with 
the time filter set. A time filter we have set by the time of the 
request creation. However, we create the request in our tests after 
inserting records into the cache. Therefore, it may vary the data 
records time and the time filter.


So, solution is create the request and then insert records or create 
request and set:

# req.req_start = req.req_start - 1.

Please, can you help me? For example see function:
test_users_by_filter_multiple_domains_valid()
in src/tests/cmocka/test_responder_cache_req.c:1834

Regards

Petr


ATTACHMENTS:

[1] cpu_braker.c
[2] 0001-TEST-Observation-patch.patch
From b58608eaadca863b28b0cc80b0588fa536d508b8 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Wed, 12 Aug 2015 15:41:03 +0200
Subject: [PATCH] [TEST]: Observation patch

This patch is part of reproducer, nothing more.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/db/sysdb_ops.c |6 ++
 src/responder/common/responder_cache_req.c |   11 +++
 2 files changed

Re: [SSSD] [WIP] [TEST]: Observation patch

[Petr Cech]

On 08/13/2015 07:49 AM, Lukas Slebodnik wrote:

On (12/08/15 17:57), Petr Cech wrote:

Hi,

I have explored in detail why the test responder_cache_req-tests failed so
often. I created a new VM with RHEL 6.7.


OBSERVATION:

How we know, CI machines are under pressure, so I wrote simple cpu_braker,
see [1]. I ran the tests 50 times with cpu_braker (average load  2.60, only
1 CPU).
Results:

[ RUN  ] test_users_by_filter_multiple_domains_valid
0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:1875: error: Failure!

[ RUN  ] test_users_by_filter_multiple_domains_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1879: error: Failure!

[ RUN  ] test_groups_by_filter_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1972: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:2051: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:2055: error: Failure!

These errors say they failed to retrieve data from the cache. Tests inserts
two test values into the cache at the beginning of their run, and then tries
to pull it back. And sometime if they are under pressure, they fail.

For a more detailed explanation, I added some printf(). I ran the test 25
times.
The results:

[ RUN  ] test_users_by_filter_valid
 ... sysdb_store_user at [1439384336] (src/db/sysdb_ops.c:1882)
 ... cache_req_input_create at [1439384337]
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439384337)]
(src/responder/common/responder_cache_req.c:44)
 ... sysdb_store_user at [1439384337] (src/db/sysdb_ops.c:1882)
 ... recent_filter = [(lastUpdate=1439384337)]
(src/responder/common/responder_cache_req.c:44)
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1748: error: Failure!

[ RUN  ] test_users_by_filter_multiple_domains_valid
 ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882)
 ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882)
 ... cache_req_input_create at [1439384175]
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439384175)]
(src/responder/common/responder_cache_req.c:44)
 ... recent_filter = [(lastUpdate=1439384175)]
(src/responder/common/responder_cache_req.c:44)
0x2 != 0
src/tests/cmocka/test_responder_cache_req.c:1874: error: Failure!

[ RUN  ] test_groups_by_filter_valid
 ... sysdb_store_group at [1439385276] (src/db/sysdb_ops.c:2042)
 ... cache_req_input_create at [1439385277]
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439385277)]
(src/responder/common/responder_cache_req.c:67)
 ... sysdb_store_group at [1439385277] (src/db/sysdb_ops.c:2042)
 ... recent_filter = [(lastUpdate=1439385277)]
(src/responder/common/responder_cache_req.c:67)
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:1971: error: Failure!

[ RUN  ] test_groups_by_filter_multiple_domains_valid
 ... sysdb_store_group at [1439385286] (src/db/sysdb_ops.c:2042)
 ... sysdb_store_group at [1439385287] (src/db/sysdb_ops.c:2042)
 ... cache_req_input_create at [1439385287]
(src/responder/common/responder_cache_req.c:122)
 ... recent_filter = [(lastUpdate=1439385287)]
(src/responder/common/responder_cache_req.c:67)
 ... recent_filter = [(lastUpdate=1439385287)]
(src/responder/common/responder_cache_req.c:67)
0x1 != 0x2
src/tests/cmocka/test_responder_cache_req.c:2054: error: Failure!

As we can see, we have discovered a new failing test
test_users_by_filter_valid.

REPRODUCER:

Use cpu_braker [1] and observation patch [2] and try some iterations...
# for i in {1..50} ; do ./responder_cache_req-tests ; done


SOLUTION?

The problem is caused by trying to retrieve records from the cache, with the
time filter set. A time filter we have set by the time of the request
creation. However, we create the request in our tests after inserting records
into the cache. Therefore, it may vary the data records time and the time
filter.

So, solution is create the request and then insert records or create request
and set:
# req.req_start = req.req_start - 1.

Please, can you help me? For example see function:
test_users_by_filter_multiple_domains_valid()
in src/tests/cmocka/test_responder_cache_req.c:1834

Regards

Petr


ATTACHMENTS:

[1] cpu_braker.c
[2] 0001-TEST-Observation-patch.patch

From b58608eaadca863b28b0cc80b0588fa536d508b8 Mon Sep 17 00:00:00 2001

From: Petr Cech pc...@redhat.com
Date: Wed, 12 Aug 2015 15:41:03 +0200
Subject: [PATCH] [TEST]: Observation patch

This patch is part of reproducer, nothing more.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
src/db/sysdb_ops.c |6 ++
src/responder/common

[SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427]   category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:454]   RULE [Test_rule] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   services_names:
...hbac_evaluator.c:432] [login]
...hbac_evaluator.c:432] [sshd]
...hbac_evaluator.c:432] [su]
...hbac_evaluator.c:445]   services_groups (none)
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   users_names:
...hbac_evaluator.c:432] [csikos]
...hbac_evaluator.c:445]   users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445]   targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427]   category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() ]
...hbac_evaluator.c:150] [ hbac_evaluate()
...hbac_evaluator.c:410]   REQUEST:
...hbac_evaluator.c:391] service [sshd]
...hbac_evaluator.c:400] service_group (none)
...hbac_evaluator.c:391] user [szabo]
...hbac_evaluator.c:395] user_group:
...hbac_evaluator.c:397]   [ipausers]
...hbac_evaluator.c:391] targethost [albireo.cygnus.dev]
...hbac_evaluator.c:400] targethost_group (none)
...hbac_evaluator.c:391] srchost [192.168.122.106]
...hbac_evaluator.c:400] srchost_group (none)
...hbac_evaluator.c:417] request time Fri Jul 24 14:29:46 2015
...hbac_evaluator.c:454]   RULE [szabo_allowed] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:435]   services_names (none)
...hbac_evaluator.c:440]   services_groups:
...hbac_evaluator.c:442] [Sudo]
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   users_names:
...hbac_evaluator.c:432] [szabo]
...hbac_evaluator.c:445]   users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445]   targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427]   category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed].
...hbac_evaluator.c:454]   RULE [Test_rule] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   services_names:
...hbac_evaluator.c:432] [login]
...hbac_evaluator.c:432] [sshd]
...hbac_evaluator.c:432] [su]
...hbac_evaluator.c:445]   services_groups (none)
...hbac_evaluator.c:462] users:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   users_names:
...hbac_evaluator.c:432] [csikos]
...hbac_evaluator.c:445]   users_groups (none)
...hbac_evaluator.c:468] targethosts:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:430]   targethosts_names:
...hbac_evaluator.c:432] [albireo.cygnus.dev]
...hbac_evaluator.c:445]   targethosts_groups (none)
...hbac_evaluator.c:474] srchosts:
...hbac_evaluator.c:427]   category [0x1] [ALL]
...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule].
...hbac_evaluator.c:214] hbac_evaluate() ]

Thanks.

Petr
From 2fcf13ef59f00b460afa77b27ef6cc2789b06393 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Fri, 24 Jul 2015 10:56:49 -0400
Subject: [PATCH] [HBAC]: Better libhbac debuging

Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
 src/providers/ipa/hbac_evaluator.c | 146 +
 src/providers/ipa/ipa_access.c |  45 
 src/providers/ipa/ipa_hbac.exports |   3 +-
 src/providers/ipa/ipa_hbac.h   |  23 ++
 4 files changed, 216 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
index f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..66d3512937702b5955f333c0c837807ee9e13deb 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -24,6 +24,8 @@
 */
 
 #include stdlib.h
+#include stdio.h
+#include stdarg.h
 #include string.h
 #include errno.h
 #include providers/ipa/ipa_hbac.h
@@ -38,6 +40,41 @@ typedef int errno_t;
 #define EOK 0
 #endif
 
+/* HBAC logging system */
+
+/* static pointer to external logging function

Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

On 07/13/2015 07:13 PM, Lukas Slebodnik wrote:

On (13/07/15 10:57), Jakub Hrozek wrote:

On Mon, Jul 13, 2015 at 09:47:46AM +0200, Lukas Slebodnik wrote:

On (10/07/15 16:54), Jakub Hrozek wrote:

On Wed, Jul 08, 2015 at 03:26:52PM +0200, Sumit Bose wrote:

   I would suggest that you put sss_cli_command_2string() in a file on
   its own similar like atomic_io.c or authtok-utils.c. And add this file
   to pam_sss_la_SOURCES and libsss_debug_la_SOURCES in Makefile.am. I
   leave it up to you to decide what would be a good place for this file.
   The sss_client directory because the enum sss_cli_command is defined
   here as well or the util directory because the main usage for it is in
   the SSSD code and not in the pam_sss module.

This is really important, so much that I wonder if we should move all
the files that are used by both client code and daemon code to some new
directory in the SSSD tree (src/shared/ maybe) and use a different comment
header in these files.

We do not need to use sss_cmd2str in client code.
If you wan to see debug messages from pam_sss module then you
need to recompile source code with extra CFLAG to enable them.

Good point.


It very unlikely that debug messages in pam_sss code will used by users.
I would prefer do not touch client code or used just hexadecimal
represaentation (the same as in header file)

I agree, let's not touch the client unless needed.

Another reason for not using sss_cmd2str in client code is that
it depends on our debug_fn from internal library libsss_debug.

Even thought the function sss_cmd2str was not used in pam_sss.c
it was still linked with pam_sss.so and thus dlopen test failed.
Petr already noticed it; This mail is just summary of off the list
discussion.

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


Hi,

there is another repaired patch.
Changes are:
* hexadecimal numbers instead of cmd2str() in sss_client,
* added license preamble in headers of new files.

Andthere is a comment of Lukas Slebodnik for that I need more investigation.
 BTW It would be good to use new function also in backend code.
 src/providers/data_provider_be.c:1107:  Got request for 
[%#x][%d][%s]\n, type, attr_type, filter);

 I used to filter debug messages for be_get_account_info which print
 type as hexadecimal number. Maybe there are also other places.
 LS

Petr
From a93e36f11759cf9a748942e7632d4a07a088b098 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Wed, 8 Jul 2015 07:17:28 -0400
Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command

Improvement of debug messages.
Instead of:(0x0400): Running command [17]...
We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]...
(It's not used in sss_client. There are only hex numbers of commands.)

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am  |   3 +-
 src/providers/dp_pam_data_util.c |  27 +
 src/responder/nss/nsssrv_cmd.c   |  30 ++---
 src/sss_client/pam_sss.c |   6 +-
 src/tools/tools_mc_util.c|   4 +-
 src/util/sss_cli_cmd.c   | 238 +++
 src/util/sss_cli_cmd.h   |  28 +
 7 files changed, 293 insertions(+), 43 deletions(-)
 create mode 100644 src/util/sss_cli_cmd.c
 create mode 100644 src/util/sss_cli_cmd.h

diff --git a/Makefile.am b/Makefile.am
index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..430f2292a1be9e0f0b7cb56e8ecbf179e9978dcd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -678,7 +678,8 @@ endif
 pkglib_LTLIBRARIES += libsss_debug.la
 libsss_debug_la_SOURCES = \
 src/util/debug.c \
-src/util/sss_log.c
+src/util/sss_log.c \
+src/util/sss_cli_cmd.c
 libsss_debug_la_LIBADD = \
 $(SYSLOG_LIBS)
 libsss_debug_la_LDFLAGS = \
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 8724bf936f3f46fb8393c8a3da57215a73b4191a..10e91f5f7286db5e76ad98b6c7519f2482d006db 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -23,33 +23,10 @@
 */
 
 #include providers/data_provider.h
-
+#include util/sss_cli_cmd.h
 
 #define PAM_SAFE_ITEM(item) item ? item : not set
 
-static const char *pamcmd2str(int cmd) {
-switch (cmd) {
-case SSS_PAM_AUTHENTICATE:
-return PAM_AUTHENTICATE;
-case SSS_PAM_SETCRED:
-return PAM_SETCRED;
-case SSS_PAM_ACCT_MGMT:
-return PAM_ACCT_MGMT;
-case SSS_PAM_OPEN_SESSION:
-return PAM_OPEN_SESSION;
-case SSS_PAM_CLOSE_SESSION:
-return PAM_CLOSE_SESSION;
-case SSS_PAM_CHAUTHTOK:
-return PAM_CHAUTHTOK;
-case SSS_PAM_CHAUTHTOK_PRELIM:
-return PAM_CHAUTHTOK_PRELIM;
-case SSS_PAM_PREAUTH:
-return SSS_PAM_PREAUTH;
-default:
-return UNKNOWN;
-}
-}
-
 int pam_data_destructor(void *ptr)
 {
 struct pam_data *pd = talloc_get_type(ptr

[SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

Hi,

I investigated the situation around the log message, which mentioned 
Lukas. I prepared this patch. The result is that the original message
 [sssd[be[cygnus.dev]]] [be_get_account_info] (0x0200): Got request 
for [0x1001][1][name=celestian]

changed to
 [sssd[be[cygnus.dev]]] [be_get_account_info] (0x0200): Got request 
for [0x1001][FAST BE_REQ_USER][1][name=celestian]



A)
I would like to ask if mark 'FAST' is useful, or if I should remove it.


B)
While writing a patch Lukas noticed another similar logging messages
 [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for 
[LDAP][3][1][name=mof_user6]


I investigated it. This is the same thing -- BE_REQ_*, but it is no 
longer in the provider, but in the responder. Can you please advise me 
where I could the function 'be_req2str' write?


The first message is coming from
 src/providers/data_provider_be.c -- be_get_account_info,
the second is from
 src/responder/common/responder_dp -- sss_dp_get_account_msg


Thanks.

Petr
From 78ba1b38af081001eaefae180adc4a45e8c673d9 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Wed, 15 Jul 2015 02:26:29 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

NOTICE: This is only draft, not real commit!
We could have
 Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
 Got request for [0x1001][1][name=celestian]

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 src/providers/data_provider_be.c | 38 +-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f5bdfb676011975defa4c5a734d420c8694f3bdd..1d59a0ab1b14f5db4319565edf646e01329f0168 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -80,6 +80,8 @@ static int be_autofs_handler(struct sbus_request *dbus_req, void *user_data);
 static int be_host_handler(struct sbus_request *dbus_req, void *user_data);
 static int be_get_subdomains(struct sbus_request *dbus_req, void *user_data);
 
+const char* be_req2str(dbus_uint32_t req_type);
+
 struct data_provider_iface be_methods = {
 { data_provider_iface_meta, 0 },
 .RegisterService = client_registration,
@@ -1104,7 +1106,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data)
 return EOK; /* handled */
 
 DEBUG(SSSDBG_FUNC_DATA,
-  Got request for [%#x][%d][%s]\n, type, attr_type, filter);
+  Got request for [%#x][%s][%d][%s]\n, type, be_req2str(type),
+   attr_type, filter);
 
 /* If we are offline and fast reply was requested
  * return offline immediately
@@ -2955,3 +2958,36 @@ static int data_provider_logrotate(struct sbus_request *dbus_req, void *data)
 
 return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
 }
+
+const char* be_req2str(dbus_uint32_t req_type)
+{
+switch (req_type  BE_REQ_TYPE_MASK) {
+case BE_REQ_USER:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_USER : BE_REQ_USER;
+case BE_REQ_GROUP:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_GROUP : BE_REQ_GROUP;
+case BE_REQ_INITGROUPS:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_INITGROUPS : BE_REQ_INITGROUPS;
+case BE_REQ_NETGROUP:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_NETGROUP : BE_REQ_NETGROUP;
+case BE_REQ_SERVICES:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_SERVICES : BE_REQ_SERVICES;
+case BE_REQ_SUDO_FULL:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_SUDO_FULL : BE_REQ_SUDO_FULL;
+case BE_REQ_SUDO_RULES:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_SUDO_RULES : BE_REQ_SUDO_RULES;
+case BE_REQ_AUTOFS:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_AUTOFS : BE_REQ_AUTOFS;
+case BE_REQ_HOST:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_HOST : BE_REQ_HOST;
+case BE_REQ_BY_SECID:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_BY_SECID : BE_REQ_BY_SECID;
+case BE_REQ_USER_AND_GROUP:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_USER_AND_GROUP : BE_REQ_USER_AND_GROUP;
+case BE_REQ_BY_UUID:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_BY_UUID : BE_REQ_BY_UUID;
+case BE_REQ_BY_CERT:
+return req_type  BE_REQ_FAST ? FAST BE_REQ_BY_CERT : BE_REQ_BY_CERT;
+}
+return UNKNOWN_REQ;
+}
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate

[Petr Cech]

On 07/13/2015 11:02 PM, Jakub Hrozek wrote:

On Fri, Jul 10, 2015 at 10:38:09AM +0200, Petr Cech wrote:

Hi,

Hi,

sorry about the vacation-induced delay. This is a very useful proposal,
see inline for my comments.


I've read the wiki according to
#  https://fedorahosted.org/sssd/ticket/2706
and I think that it could be helpful clean the page
#  https://fedorahosted.org/sssd/wiki/DevelTutorials
from git topic and create new page for everything related to git.

The motivation is, that:
* Contribute briefly describe whole process on basic level,
* DevelTips looks like How To,
* DevelTutorials are more about technologies, libraries, build process...,
* So there could be one page for everything about git.

   ~
I think there might be one (or two) page about our development process in,
not neccesarrily git.

As a general comment, my aim when I filed this ticket was to make our
wiki more maintanable. We have too many tasks on our hands already, so
we should make sure all the info on our wiki is up-to-date and if
possible, we have a documented way to update them (maybe in the release
process...perhaps we could say that with every .0 version we update a
selected list of pages?)



NOTES how we could edit wiki:

https://fedorahosted.org/sssd/wiki/Contribute

 Contribute
 Contribution Policy
 Source Code Repository  /*
  * There could be only a link to the repo
and
  * reference to New Git page.

The new git page is actually my main concern, see below.


  */
 Tips and tricks for developers
 QA, Development and Bug Triage

Hmm, I see another duplication, we have both
 https://fedorahosted.org/sssd/wiki/BugLifecycle
and:
 https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
(the latter being my fault)

Can you also take a look at these two with your fresh eyes and consider
merging them?


 Development Repositories

We should add a note to this section linking to Lukas' COPR repo. I was
even considering adding a link to this repo to both the Releases page
and even maybe the front page -- opinions are welcome here!


 Localization and Internationalization

This section needs fixing, we don't use transifex anymore but Zanata.
See the ReleaseProcess page for some more details:
 https://fedorahosted.org/sssd/wiki/ReleaseProcess

I think a link to Zanata would be enough here. But at the same time, I
would prefer this section to stay.


 Design Pages

I think this whole section needs to go. We're adding several new design
pages each release so it's not realistic to maintain this page. In order
to track a design, I think the ultimate source is the ticket.

If we want to maintain a section listing open/closed/postponed designs,
then I would prefer to generate them from Trac ticket status. But IMO
it's better to not have this info at all rather than have outdated
info...


 Credits

To be honest, I don't think this section and the page it links to:
 https://fedorahosted.org/sssd/wiki/WhoAreWe
is useful and I would vote to remove it. Please note I'm not diminishing
the contributions especially for non-Red Hat people, but I also think
that since we don't really maintain the page, it would be better to
remove it.

The development team info is outdated at least since 2012..


 Latest Documentation and Presentations

I think the documentation is very valuable and needs to stay. Maybe we
could add a sentence saying something like There is a dedicated page
where we keep our documentation.



https://fedorahosted.org/sssd/wiki/DevelTips

This page is rather short, what do you say we merge it with Contribute
page?


 SSSD Devel page
 Are there any introductory tutorials available?
 /* + Reference to the new Git page */
 When I debug an SSSD process in a debugger, it always gets killed
with …
 Using valgrind to identify memory access problems
 Using strace to track the SSSD processes
 How do I track work-in-progress of other developers?  /*
* Is it
* still valid?
*
* I tried link
* for jhrozek and
* his sssd.git
* and the url
* doesn't exist.
*/

Hmm, which link did you try? I keep my work here these days:
 https://fedorapeople.org/cgit/jhrozek/public_git/sssd.git
or as a git fetch URL:
 git://fedorapeople.org/home/fedora/jhrozek/public_git/sssd.git


 Why does make check take so long?
 Using clang to perform static analysis of source code
 When I compile the SSSD from source there is an error that says …


https://fedorahosted.org/sssd/wiki/DevelTutorials

 /*
  * Label @new-git-page means
  * that I would like move given paragraph

Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on

[Petr Cech]

On 10/05/2015 10:21 AM, Jakub Hrozek wrote:

On Fri, Sep 25, 2015 at 02:05:14PM +0200, Petr Cech wrote:

ping



I can't start sssd as a service with this patch applied after switching
from root to non-root:
 1) add user=sssd to the [sssd] section
 2) chown root.root /var/log/sssd/*.log
 3) systemctl start sssd

I must admit I no longer remember what the irritating messages the
ticket talks about were. Was is that the file is not there if only
journald support is used? Would it make more sense to ignore ENOENT
errors in that case (or even always) ?


Hi Jakub,

ticket says "chown_debug_file() is called unconditionally and it does 
not make any check if debug to files is active or not. This might cause 
irritating error messages e.g. when journald is used."


I must admit I didn't check my patch currently. But I tried to reproduce 
your problem with starting SSSD after switching root to non-root user. I 
think I catch the problem.


I tried it (switch the user) without my patch applied---and the result 
was the same, it couldn't start. Problem is in step number 2, you wrote 
root instead of sssd.


I tried full installation now (make, create rpm, install from rpm) and 
it is possible to run SSSD without and with my patch applied.


Maybe this could help to find short way like in step 2:

[root@albireo sssd]# ll /var/lib/
drwxr-xr-x. 8 root  root80 Oct 21 10:15 sss

[root@albireo sssd]# ll /var/lib/sss
drwx--. 2 sssd sssd 4096 Oct 21 10:25 db
drwxr-xr-x. 2 sssd sssd6 Oct 21 10:15 gpo_cache
drwx--. 2 sssd sssd6 Oct 21 10:15 keytabs
drwxr-xr-x. 2 sssd sssd   48 Oct 21 10:25 mc
drwxr-xr-x. 3 sssd sssd   40 Oct 21 10:25 pipes
drwxr-xr-x. 3 sssd sssd   27 Oct 21 10:25 pubconf

[root@albireo sssd]# ll /var/log
drwxr-x---. 2 sssd sssd4096 Oct 21 10:15 sssd

Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on

[Petr Cech]

How to reproduce:

Sumit wrote explanation to ticket comment. Better is if .log files 
missing. And you need run SSSD logging only to journal. Lukas wrote in 
soe mail above in thread, how to enable it.


Thanks to all.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on

[Petr Cech]

On 10/23/2015 02:18 PM, Petr Cech wrote:

How to reproduce:

Sumit wrote explanation to ticket comment. Better is if .log files
missing. And you need run SSSD logging only to journal. Lukas wrote in
soe mail above in thread, how to enable it.

Thanks to all.

Petr


# sudo bash
# systemctl stop sssd
# vim /etc/systemd/system/sssd.service.d/journal.conf
# rm /var/log/sssd/*.log
# systemctl daemon-reload
# systemctl start sssd
# journalctl -r | grep 'chown failed'
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 10/23/2015 12:57 PM, Jakub Hrozek wrote:

Thank you, I think your approach is correct. Your test essentially tests
that testuser2 was on the server but was removed, so only testuser1 is
returned.

It's correct, but because the interface is able to return more users, I
would prefer if we tested that as well.

I have one more minor remark inline, but in general, please go
ahead and add back the other tests..


Hello Jakub and everyone!

The first patch set is attached.

The removed tests were:
 * users_by_filter_valid
 * users_by_filter_multiple_domains_valid
 * groups_by_filter_valid
 * groups_by_filter_multiple_domains_valid

This patch set covers users_by_filter_valid by two new tests:
 * user_by_recent_filter_valid
 * users_by_recent_filter_valid

The first of them tests the recent filter. The seconds tests interface 
ability to return more users.


Regards,

Petr
>From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 2 Oct 2015 07:34:08 -0400
Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid

Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).

users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()

The first of new tests, user_by_recent_filter_valid(), counts with two
users. One is stored before filter request creation and the second user
is stored after filter request creation. So filter returns only one
user.

The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two users
are stored after filter request creation. So filter returns two users.

This patch adds user_by_recent_filter_valid().

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 50 +
 1 file changed, 50 insertions(+)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req)
 ctx->tctx->done = true;
 }
 
+void test_user_by_recent_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char *ldbname = NULL;
+errno_t ret;
+
+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+test_ctx->create_user = true;
+
+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001,
+   NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL,
+   NULL, 1000, time(NULL));
+assert_int_equal(ret, EOK);
+
+sleep(1);
+
+req_mem_ctx = talloc_new(test_ctx->tctx);
+check_leaks_push(req_mem_ctx);
+
+/* Filters always go to DP */
+will_return(__wrap_sss_dp_get_account_send, test_ctx);
+mock_account_recv_simple();
+
+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
+test_ctx->rctx,
+test_ctx->tctx->dom->name,
+"test*");
+assert_non_null(req);
+
+tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx);
+
+ret = test_ev_loop(test_ctx->tctx);
+assert_int_equal(ret, ERR_OK);
+assert_true(check_leaks_pop(req_mem_ctx));
+
+assert_non_null(test_ctx->result);
+assert_int_equal(test_ctx->result->count, 1);
+
+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0],
+  SYSDB_NAME, NULL);
+assert_non_null(ldbname);
+assert_string_equal(ldbname, TEST_USER_NAME);
+}
+
+
 void test_users_by_filter_filter_old(void **state)
 {
 struct cache_req_test_ctx *test_ctx = NULL;
@@ -1476,11 +1523,14 @@ int main(int argc, const char *argv[])
 new_multi_domain_test(group_by_id_multiple_domains_found),
 new_multi_domain_test(group_by_id_multiple_domains_notfound),
 
+new_single_domain_test(user_by_recent_filter_valid),
+
 new_single_domain_test(users_by_filter_filter_old),
 new_single_domain_test(users_by_filter_notfound),
 new_multi_domain_test(users_by_filter_multiple_domains_notfound),
 new_single_domain_test(groups_by_filter_notfound),
 new_multi_domain_test(groups_by_filter_multiple_domains_notfound),
+

Re: [SSSD] [PATCH] Monitor: Show service pings at debug level 8

[Petr Cech]

On 10/27/2015 02:58 PM, Stephen Gallagher wrote:

SSSDBG_CONF_SETTINGS is reserved for configuration information. These
pings are generally just noise (when they fail, this is logged at
SSDBG_FATAL_FAILURE). We should only log these at SSSDBG_TRACE_INTERNAL.


Hi Stephen,

CI tests are right:
http://sssd-ci.duckdns.org/logs/job/31/44/summary.html

=> ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 10/12/2015 11:37 AM, Jakub Hrozek wrote:

> From a15acee2495ee12190e711f3344e14c54fc73062 Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Wed, 7 Oct 2015 08:57:15 -0400
>Subject: [PATCH 10/11] KRB5_CHILD: More restrictive umask
>
>We could use more restrictive umask in krb5_child. I found out that
>there is directory creation, but it is done by create_ccache_dir()
>which has its own umask setup.
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2424
>---
>  src/providers/krb5/krb5_child.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
>index 
69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8 
100644
>--- a/src/providers/krb5/krb5_child.c
>+++ b/src/providers/krb5/krb5_child.c
>@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, 
krb5_creds *creds)
>  #endif
>
>  /* Set a restrictive umask, just in case we end up creating any file */
>-umask(SSS_DFL_X_UMASK);
>+umask(SSS_DFL_UMASK);

I think this change is OK, as you say, the directories might need the
executable flag, but then the directory-creating code should make sure
the permissions are more relaxed..

I checked it again. It is OK.



btw I tested both FILE ccache:
 krb5_ccname_template =FILE:/tmp/ccache_%p.XX
the result looked OK to me:
 # ll /tmp/ccache_ad...@ipa.test.KDaxgn
 -rw---. 1 admin admins 1041 Oct 12 09:14 
/tmp/ccache_ad...@ipa.test.KDaxgn
and DIR ccache:
 krb5_ccname_template = DIR:/tmp/ccaches/ccache_%p
also looked good:
 # ll -d/tmp/ccaches/
 drwx--. 3 admin admins 4096 Oct 12 09:31/tmp/ccaches/
 # ll -d/tmp/ccaches/ccache_ad...@ipa.test/
 drwx--. 2 admin admins 4096 Oct 12 
09:31/tmp/ccaches/ccache_ad...@ipa.test/
 # ll /tmp/ccaches/ccache_ad...@ipa.test
 -rw---. 1 admin admins   10 Oct 12 09:31 primary
 -rw---. 1 admin admins 1041 Oct 12 09:31 tktrg2WYD


>
>  /* we create a new context here as the main process one may have been
>   * opened as root and contain possibly references (even open handles ?)
>--
>2.4.3
>
> From 6085c5ce86e6ba79f29d2c18f6fceca9bab5cecb Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Wed, 7 Oct 2015 09:32:12 -0400
>Subject: [PATCH 11/11] UTILS: Removing SSS_DFL_X UMASK constant

077 is still used in sss_unique_file(). So we can either use SSS_DFL_X
umask there or convert to non-executable umask. Either way, I think it's
OK to keep SSS_DFL_X even though it's unused right now for later use.
It's just a constant.

OK, SSS_DFL_X_UMASK is still here, but not used in code.



sss_unique_file is used to generate kdcinfo files, where non-x would be
OK because later we fchmod to 644 anyway:
  ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);

..and also used in gpo_cache_store_file() which uses the same pattern..


I rewrote DFL_X to DFL in sss_unique_file().


...then also in sss_unique_filename() which is used to create dummy
keytabs in ipa_server_trusted_dom_setup_1way(), handle_randomized() and
ldap_child_get_tgt_sync(). Now:
 - ipa_server_trusted_dom_setup_1way() - safe to change, we only use it
 to get a unique filename, the contents are filled with ipa-getkeytab
 - handle_randomized() - safe to change, libkrb5 unlinks the unique
   file later, so we just really need the filename
 - ldap_child_get_tgt_sync() - ditto, only used as input for
   krb5_cc_resolve()


The third patch is about redudant constant.

And at the end, there are may uses of umask() in CI tests, which I leave 
how they are. They could be test relevant. Maybe I will touch it in some 
future patch.


The last umask like constant is 644, which is connected to chmod(), 
open(), etc. Do we want to have a constant for it?


Regards

Petr
>From 2613e2f0cf519664136cb2ff2fb6ef30b80b12b2 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 7 Oct 2015 08:57:15 -0400
Subject: [PATCH 1/3] KRB5_CHILD: More restrictive umask

We could use more restrictive umask in krb5_child. I found out that
there is directory creation, but it is done by create_ccache_dir()
which has its own umask setup.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
 src/providers/krb5/krb5_child.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds)
 #endif
 
 /* Set a restrictive umask, just in case we end up creating any file */
-umask(SSS_DFL_X_UMASK);
+umask(SSS_DFL_UMASK);
 
 /* w

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/10/2015 08:29 AM, Pavel Reichl wrote:



On 11/05/2015 05:29 PM, Petr Cech wrote:

+void test_groups_by_recent_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char **group_names = NULL;
+const char **ldb_results = NULL;
+const char *ldbname = NULL;
+void *tmp_ctx = NULL;

Could you use TALLOC_CTX?

Yes, I could :-)



+errno_t ret;
+
+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+test_ctx->create_group1 = true;
+test_ctx->create_group2 = true;
+
+ret = sysdb_store_group(test_ctx->tctx->dom, TEST_GROUP_NAME2,
+1001, NULL, 1001, time(NULL));
+assert_int_equal(ret, EOK);
+
+sleep(1);
+
+req_mem_ctx = talloc_new(global_talloc_context);
+check_leaks_push(req_mem_ctx);
+
+/* Filters always go to DP */
+will_return(__wrap_sss_dp_get_account_send, test_ctx);
+mock_account_recv_simple();
+
+/* Group TEST_GROUP1 and TEST_GROUP2 are created with a DP
callback. */
+req = cache_req_group_by_filter_send(req_mem_ctx,
test_ctx->tctx->ev,
+ test_ctx->rctx,
+ test_ctx->tctx->dom->name,
+ TEST_USER_PREFIX);
+assert_non_null(req);
+
+tevent_req_set_callback(req, cache_req_group_by_filter_test_done,
test_ctx);
+
+ret = test_ev_loop(test_ctx->tctx);
+assert_int_equal(ret, ERR_OK);
+assert_true(check_leaks_pop(req_mem_ctx));
+
+assert_non_null(test_ctx->result);
+assert_int_equal(test_ctx->result->count, 2);
+
+tmp_ctx = talloc_zero(NULL, void *);


Why not to use talloc_new(parent_ctx)?


+
+group_names = talloc_array(tmp_ctx, const char *, 2);
+assert_non_null(group_names);
+group_names[0] = TEST_GROUP_NAME;
+group_names[1] = TEST_GROUP_NAME2;
+
+ldb_results = talloc_array(tmp_ctx, const char *, 2);
+assert_non_null(ldb_results);
+for (int i = 0; i < 2; ++i) {
+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[i],
+  SYSDB_NAME, NULL);
+assert_non_null(ldbname);
+ldb_results[i] = ldbname;
+}
+
+assert_string_not_equal(ldb_results[0], ldb_results[1]);
+
+assert_true(are_values_in_ldb_result(ldb_results, group_names));
+
+talloc_zfree(tmp_ctx);
+}


Thanks!


Your comments will be addressed in nex patchset.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/10/2015 08:37 AM, Lukas Slebodnik wrote:

On (10/11/15 08:29), Pavel Reichl wrote:



On 11/05/2015 05:29 PM, Petr Cech wrote:

+void test_groups_by_recent_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char **group_names = NULL;
+const char **ldb_results = NULL;
+const char *ldbname = NULL;
+void *tmp_ctx = NULL;

Could you use TALLOC_CTX?


Why do we need two different talloc context in a test?
"TALLOC_CTX *req_mem_ctx", "void *tmp_ctx"

If we properly release resources we can use single talloc context.
It's the best way how to catch memory leaks.

LS


Right, I will change void *tmp_ctx to TALLOC_CTX *tmp_ctx and I will 
create it under req_mem_ctx. I feel it will be more clear and readable.


Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/09/2015 04:28 PM, Jakub Hrozek wrote:

On Thu, Nov 05, 2015 at 05:29:25PM +0100, Petr Cech wrote:

>On 11/04/2015 11:11 AM, Jakub Hrozek wrote:

> >Hi,
> >
> >Sorry it took so long to get back to the review.  I only have some minor
> >comments, see inline..
> >
> >Because the group patches are more or less equivalent, I'll just comment
> >here. If you agree with the comments, please also change the group tests
> >and resend in a single set.
> >
> >Thanks for the tests!
> >

> >>> From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001
> >>>From: Petr Cech<pc...@redhat.com>
> >>>Date: Fri, 2 Oct 2015 07:34:08 -0400
> >>>Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid
> >>>
> >>>Test users_by_filter_valid() was removed in past. We will add two new
> >>>tests instead of it. Logic of those tests is connected to RECENT
> >>>filter. It returns only records which have been wrote or updated after
> >>>filter was created (or another given time).
> >>>
> >>>users_by_filter_valid() --> user_by_recent_filter_valid()
> >>> users_by_recent_filter_valid()
> >>>
> >>>The first of new tests, user_by_recent_filter_valid(), counts with two
> >>>users. One is stored before filter request creation and the second user
> >>>is stored after filter request creation. So filter returns only one
> >>>user.
> >>>
> >>>The second of new tests, users_by_recent_filter_valid(), counts with
> >>>three users. One is stored before filter request creation and two users
> >>>are stored after filter request creation. So filter returns two users.
> >>>
> >>>This patch adds user_by_recent_filter_valid().
> >>>
> >>>Resolves:
> >>>https://fedorahosted.org/sssd/ticket/2730
> >>>---
> >>>  src/tests/cmocka/test_responder_cache_req.c | 50 
+
> >>>  1 file changed, 50 insertions(+)
> >>>
> >>>diff --git a/src/tests/cmocka/test_responder_cache_req.c 
b/src/tests/cmocka/test_responder_cache_req.c
> >>>index 
744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 100644
> >>>--- a/src/tests/cmocka/test_responder_cache_req.c
> >>>+++ b/src/tests/cmocka/test_responder_cache_req.c
> >>>@@ -1239,6 +1239,53 @@ static void 
cache_req_user_by_filter_test_done(struct tevent_req *req)
> >>>  ctx->tctx->done = true;
> >>>  }
> >>>
> >>>+void test_user_by_recent_filter_valid(void **state)
> >>>+{
> >>>+struct cache_req_test_ctx *test_ctx = NULL;
> >>>+TALLOC_CTX *req_mem_ctx = NULL;
> >>>+struct tevent_req *req = NULL;
> >>>+const char *ldbname = NULL;
> >>>+errno_t ret;
> >>>+
> >>>+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
> >>>+test_ctx->create_user = true;
> >>>+
> >>>+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 
1001, 1001,
> >>>+   NULL, NULL, NULL, 
"cn="TEST_USER_NAME2",dc=test", NULL,
> >>>+   NULL, 1000, time(NULL));
> >>>+assert_int_equal(ret, EOK);
> >>>+
> >>>+sleep(1);

> >The purpose of the sleep() here is just to make sure the entry was
> >created in the past, right? Would it be equally safe to create the user
> >with timestamp time(NULL)-1 to make the test faster?
> >

> >>>+
> >>>+req_mem_ctx = talloc_new(test_ctx->tctx);
> >>>+check_leaks_push(req_mem_ctx);
> >>>+
> >>>+/* Filters always go to DP */
> >>>+will_return(__wrap_sss_dp_get_account_send, test_ctx);
> >>>+mock_account_recv_simple();

> >Can you add a comment that the TEST_USER is created with a DP callback
> >here?
> >

> >>>+
> >>>+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
> >>>+test_ctx->rctx,
> >>>+    test_ctx->tctx->dom->name,
> >>>+"test*");

> >It would read nicer if we had a constant TEST_USER_PREFIX "test_user" 
#defined,
> >or even TEST_USER_

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/11/2015 09:32 AM, Jakub Hrozek wrote:

>Hi Jakub,
>
>I just sent the patch to the CI tests and they passed
>http://sssd-ci.duckdns.org/logs/job/32/63/summary.html
>

> >Then I would prefer undocumented. It matches how we (don't) document the
> >"command" option.

>I agree with little exception. I think it could be more clear if we write
>little documentation to commit message or to the code near the new option.
>But, how everybody wrote, we could leave man page without documentation.

Good idea, I can move the documentation that was previously in the man
page to the commit message, would that work for you?


Yes, it works for me.

I am going to 1/2 PTO for now.

The last two things are that I would like to run it due to your 
reproducer. And there is a remark from Stephen Gallagher which we need 
resolve.


However, CI tests passed. So if you're in a hurry with code review, 
please ask someone else.


I can continue with review tomorrow.

Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [PATCH] IPA_PROVIDER: Explicit no handle of services

[Petr Cech]

Hello,

please see first attempt of patch for:
https://fedorahosted.org/sssd/ticket/2747

Regards

Petr

PS:
# reproducer
getent services -s sss l...@cygnus.dev
>From 64d952f188e86a00c26ccbe26ad09231e6b6de2b Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 9 Nov 2015 09:51:05 -0500
Subject: [PATCH] IPA_PROVIDER: Explicit no handle of services

FreeIPA can't handle services, so we can say explicitly there is no
services in get_object_from_cache() function. And we return EINVAL if
somebody tries to find services in IPA.

Resolves:
https://fedorahosted.org/sssd/ticket/2747
---
 src/providers/ipa/ipa_subdomains_id.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 472985d4ab4f785aa9c4af94bf8021829ca1c3c8..be050cc39c8446b2a92207ee2dad12f66032244f 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -915,6 +915,11 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
 NULL };
 char *name;
 
+if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_SERVICES)  {
+ret = EINVAL;
+goto done;
+}
+
 if (ar->filter_type == BE_FILTER_SECID) {
 ret = sysdb_search_object_by_sid(mem_ctx, dom, ar->filter_value, attrs,
  );
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/09/2015 07:17 PM, Stephen Gallagher wrote:

There are problems inherent with passing the PID to the child process.
There's no guarantee that the process still exists. In the worst-case,
the PID could actually be reassigned to a new process and the output
you got back from something like pstack could be reading from a
different executable entirely.

+1

I am sorry I didn't see big picture.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] CONFIGURE: Bump AM_GNU_GETTEXT_VERSION

[Petr Cech]

On 11/10/2015 10:44 AM, Lukas Slebodnik wrote:

ehlo,

The function gettext was not detected properly with strict
cflags even thought it was part of glibc.

sh$ CFLAGS="-Werror" ./configure

sh$ grep gt_cv_func_gnugettext config.log
gt_cv_func_gnugettext1_libc=no
gt_cv_func_gnugettext1_libintl=no

sh$ objdump -T /lib64/libc.so.6 | grep gettext
0002fc60  w   DF .text  0010  GLIBC_2.2.5 dcngettext
0002dc70  w   DF .text  000f  GLIBC_2.2.5 dcgettext
0002fc80  w   DF .text  0016  GLIBC_2.2.5 ngettext
0002dc90  w   DF .text  000f  GLIBC_2.2.5 gettext
0002dc70 gDF .text  000f  GLIBC_2.2.5 __dcgettext
0002dc80  w   DF .text  000a  GLIBC_2.2.5 dgettext
0002dc80 gDF .text  000a  GLIBC_2.2.5 __dgettext

With attached patch situation is better.
q
sh$ autoreconf
sh$ CFLAGS="-Werror" ./configure

sh$ grep gt_cv_func_gnugettext config.log
gt_cv_func_gnugettext1_libc=yes

LS

0001-CONFIGURE-Bump-AM_GNU_GETTEXT_VERSION.patch

 From c60c2e870d140e127bca69eb03bba30988c1dec4 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Tue, 10 Nov 2015 10:39:07 +0100
Subject: [PATCH] CONFIGURE: Bump AM_GNU_GETTEXT_VERSION

The function gettext was not detected properly with strict
cflags even thought it was part of glibc.

sh$ CFLAGS="-Werror" ./configure

sh$ grep gt_cv_func_gnugettext config.log
gt_cv_func_gnugettext1_libc=no
gt_cv_func_gnugettext1_libintl=no

sh$ objdump -T /lib64/libc.so.6 | grep gettext
0002fc60  w   DF .text  0010  GLIBC_2.2.5 dcngettext
0002dc70  w   DF .text  000f  GLIBC_2.2.5 dcgettext
0002fc80  w   DF .text  0016  GLIBC_2.2.5 ngettext
0002dc90  w   DF .text  000f  GLIBC_2.2.5 gettext
0002dc70 gDF .text  000f  GLIBC_2.2.5 __dcgettext
0002dc80  w   DF .text  000a  GLIBC_2.2.5 dgettext
0002dc80 gDF .text  000a  GLIBC_2.2.5 __dgettext
0002fc70  w   DF .text  000b  GLIBC_2.2.5 dngettext
---


Hi Lukas,

CI tests passed:
http://sssd-ci.duckdns.org/logs/job/32/64/summary.html

=> ACK

Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/11/2015 12:25 PM, Jakub Hrozek wrote:

On Wed, Nov 11, 2015 at 11:07:46AM +0100, Petr Cech wrote:

>On 11/11/2015 09:32 AM, Jakub Hrozek wrote:

> >>>Hi Jakub,
> >>>
> >>>I just sent the patch to the CI tests and they passed
> >>>http://sssd-ci.duckdns.org/logs/job/32/63/summary.html
> >>>

> >>>> >Then I would prefer undocumented. It matches how we (don't) document the
> >>>> >"command" option.

> >>>I agree with little exception. I think it could be more clear if we write
> >>>little documentation to commit message or to the code near the new option.
> >>>But, how everybody wrote, we could leave man page without documentation.

> >Good idea, I can move the documentation that was previously in the man
> >page to the commit message, would that work for you?

>
>Yes, it works for me.
>
>I am going to 1/2 PTO for now.
>
>The last two things are that I would like to run it due to your reproducer.
>And there is a remark from Stephen Gallagher which we need resolve.
>
>However, CI tests passed. So if you're in a hurry with code review, please
>ask someone else.
>
>I can continue with review tomorrow.

I'm not in hurry at all. Attached is a patch that adds a better commit
message. We can discuss any details related to testing over IRC if you
prefer.

Hi Jakub,

it works due to your reproducer. It is really need to have
setenforce == 1

CI tests passed:
http://sssd-ci.duckdns.org/logs/job/32/25/summary.html

Stephen Gallagher wrote (2015-09-11 11:32 AM):
There are problems inherent with passing the PID to the child process.
There's no guarantee that the process still exists. In the worst-case,
the PID could actually be reassigned to a new process and the output
you got back from something like pstack could be reading from a
different executable entirely.
---
I understand, it could be dangerous. But, this option is a little bit 
secret, we don't write about it in our man pages and so on. I hope it 
will be used only for debuging some hot cases.


There are only little remarks in patch.

=> ACK

Regrds

Petr

PS: I accepted that we have
# p = copy;
not something like:
# copy_ptr = copy;
How I suggested previous mail.


0001-SSSD-Add-a-new-command-diag_cmd.patch


 From ee4135adf6669221de575ebc92e7b3aabba55ba9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek<jhro...@redhat.com>
Date: Mon, 2 Nov 2015 11:41:31 +0100
Subject: [PATCH] SSSD: Add a new command diag_cmd

This command is an optional one that is run when a sbus ping times out
and before a SIGKILL commans is sent.

  ---^--- s -> d


diag_cmd (string):
A command that should be run for diagnostic purpose when an sbus timeout
fails. The option value may contain %p which would be expanded for the
process ID of the process that timed out

Example:
 pstack %p
This setting would print the stackstrace of the command whose ping timed out.

Default: not set.
---
  src/confdb/confdb.h  |   1 +
  src/config/SSSDConfig/__init__.py.in |   1 +
  src/config/SSSDConfigTest.py |   1 +
  src/config/etc/sssd.api.conf |   1 +
  src/monitor/monitor.c| 215 +++
  5 files changed, 197 insertions(+), 22 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 
37b5fd7c7629e2618a1699e3ffd58110171db605..0ef7268f9cdc2c18482bbf7b8dbe19d3ef6b7bbf
 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -71,6 +71,7 @@
  #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
  #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
  #define CONFDB_MONITOR_USER_RUNAS "user"
+#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd"

  /* Both monitor and domains */
  #define CONFDB_NAME_REGEX   "re_expression"
diff --git a/src/config/SSSDConfig/__init__.py.in 
b/src/config/SSSDConfig/__init__.py.in
index 
bf61c402796122050fa43cf41128faec4771c5d2..60129e6e7fbc96d11c539323346c22a7db6d7f23
 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -50,6 +50,7 @@ option_strings = {
  'reconnection_retries' : _('Number of times to attempt connection to Data 
Providers'),
  'fd_limit' : _('The number of file descriptors that may be opened by this 
responder'),
  'client_idle_timeout' : _('Idle time before automatic disconnection of a 
client'),
+'diag_cmd' : _('The command to run when a service ping times out'),

  # [sssd]
  'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 
45562214da5d227b45914abbcb298e043048adf5..abd4a39258e060f27db62eb2352450b6c405930c
 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -307,6 +307,7 @@ class SSSDConfigTestSSSDServi

Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider

[Petr Cech]

On 11/11/2015 02:28 PM, Jakub Hrozek wrote:

Hi,

I think one of the prime reasons for #2861 was copy-pasting code. The
two attached patches reduce the code duplication and hopefully will make
future additions to Data Provider safer.

Ideas on different solutions are welcome!


Hi Jakub,

I am afraid that the first patch is inapplicable.
It is build up on 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 commit but 
there is no such commit.


Regards

Petr


0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch


 From f6e929d4132a23d23a9016e43f4b870780c53032 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 11 Nov 2015 13:39:43 +0100
Subject: [PATCH 1/2] DP: Reduce code duplication in the callback handlers

Instead of calling sbus_request_return_and_finish() directly with the
same checks copied over, add a be_sbus_reply() helper instead.
---


pcech@albireo ~/sssd: (master) $ git am 
../patch/0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch

Applying: DP: Reduce code duplication in the callback handlers
error: patch failed: src/providers/data_provider_be.c:661
error: src/providers/data_provider_be.c: patch does not apply
Patch failed at 0001 DP: Reduce code duplication in the callback handlers
The copy of the patch that failed is found in:
   /home/pcech/sssd/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
pcech@albireo ~/sssd: (master) $ git am --abort
pcech@albireo ~/sssd: (master) $ git am -i3 
../patch/0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch

Commit Body is:
--
DP: Reduce code duplication in the callback handlers

Instead of calling sbus_request_return_and_finish() directly with the
same checks copied over, add a be_sbus_reply() helper instead.
--
Apply? [y]es/[n]o/[e]dit/[v]iew patch/[a]ccept all a
Applying: DP: Reduce code duplication in the callback handlers
error: invalid object 100644 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 
for 'src/providers/data_provider_be.c'

fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0001 DP: Reduce code duplication in the callback handlers
The copy of the patch that failed is found in:
   /home/pcech/sssd/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider

[Petr Cech]

On 11/12/2015 01:08 PM, Jakub Hrozek wrote:

On Thu, Nov 12, 2015 at 01:03:33PM +0100, Petr Cech wrote:

>On 11/11/2015 02:28 PM, Jakub Hrozek wrote:

> >Hi,
> >
> >I think one of the prime reasons for #2861 was copy-pasting code. The
> >two attached patches reduce the code duplication and hopefully will make
> >future additions to Data Provider safer.
> >
> >Ideas on different solutions are welcome!
> >

>Hi Jakub,
>
>I am afraid that the first patch is inapplicable.
>It is build up on 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 commit but there
>is no such commit.
>
>Regards

Ah, I'm sorry I should have said earlier that the patches must be
applied atop the patches in thread called "[PATCH] Guard against invalid
DP messages".

These code refactoring patches are not that important, we can wait with
review until the other thread is pushed.


Well, I looked at thread called "[PATCH] Guard against invalid DP 
messages". Those patches are still under review. So I will wait for 
their pushing to the code base.


Please, ping this thread after it.

Thank you

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/12/2015 06:30 PM, Jakub Hrozek wrote:

On Thu, Nov 12, 2015 at 10:49:33AM +0100, Petr Cech wrote:

>On 11/11/2015 12:25 PM, Jakub Hrozek wrote:

> >On Wed, Nov 11, 2015 at 11:07:46AM +0100, Petr Cech wrote:

> >>>On 11/11/2015 09:32 AM, Jakub Hrozek wrote:

> >>>>>> >>>Hi Jakub,
> >>>>>> >>>
> >>>>>> >>>I just sent the patch to the CI tests and they passed
> >>>>>> >>>http://sssd-ci.duckdns.org/logs/job/32/63/summary.html
> >>>>>> >>>

> >>>>>>>> >>>> >Then I would prefer undocumented. It matches how we (don't) 
document the
> >>>>>>>> >>>> >"command" option.

> >>>>>> >>>I agree with little exception. I think it could be more clear if we 
write
> >>>>>> >>>little documentation to commit message or to the code near the new 
option.
> >>>>>> >>>But, how everybody wrote, we could leave man page without 
documentation.

> >>>> >Good idea, I can move the documentation that was previously in the man
> >>>> >page to the commit message, would that work for you?

> >>>
> >>>Yes, it works for me.
> >>>
> >>>I am going to 1/2 PTO for now.
> >>>
> >>>The last two things are that I would like to run it due to your reproducer.
> >>>And there is a remark from Stephen Gallagher which we need resolve.
> >>>
> >>>However, CI tests passed. So if you're in a hurry with code review, please
> >>>ask someone else.
> >>>
> >>>I can continue with review tomorrow.

> >I'm not in hurry at all. Attached is a patch that adds a better commit
> >message. We can discuss any details related to testing over IRC if you
> >prefer.

>Hi Jakub,
>
>it works due to your reproducer. It is really need to have
>setenforce == 1

You meant setenforce 0, right?


Hi Jakub,

yes, of course, I meant setenforce 1. It was mistake.



>
>CI tests passed:
>http://sssd-ci.duckdns.org/logs/job/32/25/summary.html
>
>Stephen Gallagher wrote (2015-09-11 11:32 AM):
>There are problems inherent with passing the PID to the child process.
>There's no guarantee that the process still exists. In the worst-case,
>the PID could actually be reassigned to a new process and the output
>you got back from something like pstack could be reading from a
>different executable entirely.
>---
>I understand, it could be dangerous. But, this option is a little bit
>secret, we don't write about it in our man pages and so on. I hope it will
>be used only for debuging some hot cases.

Yes, Stephen is right, but if this option is only used for debugging,
then I think we're fine. I would really prefer to have this undocumented
option rather than run blind in case services get stuck..

Yes, I agreee. We can use this way because it is only for debugging.




The real solution here would be to use systemd for service management.

Good point. Thank you for remark.





>
>There are only little remarks in patch.
>
>=> ACK

Then it should be a nack, don't let sloppy patches through:-)

OK I will be more restrictive.





>
>Regrds
>
>Petr
>
>PS: I accepted that we have
># p = copy;
>not something like:
># copy_ptr = copy;
>How I suggested previous mail.

Sorry, I overlooked that previously. It's an honest mistake, I didn't want
to ignore you. Feel free to just push again for changes you like next time,
each suggestion should be discussed and either accepted or rejected (with
good reason).

OK.





>

> >0001-SSSD-Add-a-new-command-diag_cmd.patch
> >
> >
> > From ee4135adf6669221de575ebc92e7b3aabba55ba9 Mon Sep 17 00:00:00 2001
> >From: Jakub Hrozek<jhro...@redhat.com>
> >Date: Mon, 2 Nov 2015 11:41:31 +0100
> >Subject: [PATCH] SSSD: Add a new command diag_cmd
> >
> >This command is an optional one that is run when a sbus ping times out
> >and before a SIGKILL commans is sent.

>   ---^--- s -> d

Fixed

OK.




[...]


> >@@ -1065,6 +1237,18 @@ static errno_t get_ping_config(struct mt_ctx *ctx, 
const char *path,
> >"Time between service pings for [%s]: [%d]\n",
> > svc->name, svc->ping_time);
> >
> >+ret = confdb_get_string(ctx->cdb, svc, path,
> >+CONFDB_MONITOR_PRE_KILL_CMD,
> >+NULL, >diag_cmd);
> >+if (ret != EOK) {
> >+DEBUG(SSSDBG_CRIT_FAILURE,
> >+  

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

bump
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/13/2015 11:32 AM, Jakub Hrozek wrote:

On Fri, Nov 13, 2015 at 10:52:08AM +0100, Petr Cech wrote:

>On 11/13/2015 10:30 AM, Petr Cech wrote:

> >On 11/13/2015 10:27 AM, Petr Cech wrote:

> >>
> >>Patches are rebased now. I hope it will be ok now.
> >>
> >>Petr

> >Sorry, now my local CI tests failed... I will rebase it again.

>
>Well, now it is right. Local CI tests passed. There has been patch:
>
>   "TESTS: Fix warnings -Wshadow":
>   commit df9e9a1f9b7dc255eb62c390163c25917b08f5a2
>   Refs: sssd-1_13_1-137-gdf9e9a1
>   Author: Lukas Slebodnik<lsleb...@redhat.com>
>   AuthorDate: Mon Nov 9 10:59:55 2015 +0100
>   Commit: Jakub Hrozek<jhro...@redhat.com>
>   CommitDate: Tue Nov 10 15:34:41 2015 +0100
>
>There is change
># - time_t time)
># + time_t transaction_time)
>in static void prepare_user().
>My patches were in conflict with it.
>
>Regards
>
>Petr
> From 3ce6073dda27fd7a4626f5cbac1c765274ca5fe0 Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Fri, 2 Oct 2015 07:34:08 -0400
>Subject: [PATCH 1/8] TEST: Add test_user_by_recent_filter_valid
>
>Test users_by_filter_valid() was removed in past. We will add two new
>tests instead of it. Logic of those tests is connected to RECENT
>filter. It returns only records which have been wrote or updated after
>filter was created (or another given time).
>
>users_by_filter_valid() --> user_by_recent_filter_valid()
> users_by_recent_filter_valid()
>
>The first of new tests, user_by_recent_filter_valid(), counts with two
>users. One is stored before filter request creation and the second user
>is stored after filter request creation. So filter returns only one
>user.
>
>The second of new tests, users_by_recent_filter_valid(), counts with
>three users. One is stored before filter request creation and two users
>are stored after filter request creation. So filter returns two users.
>
>This patch adds user_by_recent_filter_valid().
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2730
>---
>  src/tests/cmocka/test_responder_cache_req.c | 50 
+
>  1 file changed, 50 insertions(+)
>
>diff --git a/src/tests/cmocka/test_responder_cache_req.c 
b/src/tests/cmocka/test_responder_cache_req.c
>index 
85d986bd7d159dc238bce4bc770272d18288f2dd..14a40ae6e56b2f6d0b18608bac09bc4680245153 
100644
>--- a/src/tests/cmocka/test_responder_cache_req.c
>+++ b/src/tests/cmocka/test_responder_cache_req.c
>@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct 
tevent_req *req)
>  ctx->tctx->done = true;
>  }
>
>+void test_user_by_recent_filter_valid(void **state)
>+{
>+struct cache_req_test_ctx *test_ctx = NULL;
>+TALLOC_CTX *req_mem_ctx = NULL;
>+struct tevent_req *req = NULL;
>+const char *ldbname = NULL;
>+errno_t ret;
>+
>+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
>+test_ctx->create_user = true;
>+
>+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2,
>+   "pwd", 1001, 1001, NULL, NULL, NULL,
>+   "cn="TEST_USER_NAME2",dc=test",
>+   NULL, NULL, 1000, time(NULL)-1);
>+assert_int_equal(ret, EOK);
>+
>+req_mem_ctx = talloc_new(test_ctx->tctx);
>+check_leaks_push(req_mem_ctx);

I think the last question is whether we want to use this new context or
just call check_leaks_push(test_ctx) recursively. I don't really mind
too much, both would work for me.

Unless someone opposes, I would push the patch as-is.

OK.




>+
>+/* Filters always go to DP */
>+will_return(__wrap_sss_dp_get_account_send, test_ctx);
>+mock_account_recv_simple();
>+
>+/* User TEST_USER is created with a DP callback. */
>+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
>+test_ctx->rctx,
>+test_ctx->tctx->dom->name,
>+"test*");
>+assert_non_null(req);
> From df9717ca932f95f55b528024829758dd9b2f2f56 Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Wed, 4 Nov 2015 06:50:33 -0500
>Subject: [PATCH 2/8] TEST: Refactor of test_responder_cache_req.c
>
>This patch only defines constant TEST_USER_FILTER. So code will be more


TEST_USER_PREFIX is defined.

Fixed.


The code is fine.



> From ae448cc95f9ab9fbca3ab

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/13/2015 12:27 PM, Jakub Hrozek wrote:

+req_mem_ctx = talloc_new(test_ctx->tctx);
> >>+check_leaks_push(req_mem_ctx);

> >
> >I think the last question is whether we want to use this new context or
> >just call check_leaks_push(test_ctx) recursively. I don't really mind
> >too much, both would work for me.
> >
> >Unless someone opposes, I would push the patch as-is.
> >

>I have a different question. (i haven't read patches yet)
>But I can see that check_leaks_push is called after sysdb_store_user.
>
>I would like to know why.
>because we shout try to check leaks "caused" in this function.

Wouldn't these leaks be caught by leaks checks that are pushed in
setup() and popped in teardown() ?


I found out that we use only this expression in test code:

req_mem_ctx = talloc_new(global_talloc_context);
check_leaks_push(req_mem_ctx);

So it is possible that I added this check in vain.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/13/2015 08:20 AM, Petr Cech wrote:

>Hi Jakub,
>
>it works due to your reproducer. It is really need to have
>setenforce == 1

You meant setenforce 0, right?


Hi Jakub,

yes, of course, I meant setenforce 1. It was mistake.

   --^-- 1 --> 0
I did little mistake again.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/13/2015 10:09 AM, Jakub Hrozek wrote:

Hi, patch 003 doesn't apply cleanly for me, can you rebase?


Patches are rebased now. I hope it will be ok now.

Petr
>From 3e43417db9b66bdb44d60b5f186156c5ac26ad4b Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 2 Oct 2015 07:34:08 -0400
Subject: [PATCH 1/8] TEST: Add test_user_by_recent_filter_valid

Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).

users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()

The first of new tests, user_by_recent_filter_valid(), counts with two
users. One is stored before filter request creation and the second user
is stored after filter request creation. So filter returns only one
user.

The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two users
are stored after filter request creation. So filter returns two users.

This patch adds user_by_recent_filter_valid().

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 50 +
 1 file changed, 50 insertions(+)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 85d986bd7d159dc238bce4bc770272d18288f2dd..14a40ae6e56b2f6d0b18608bac09bc4680245153 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req)
 ctx->tctx->done = true;
 }
 
+void test_user_by_recent_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char *ldbname = NULL;
+errno_t ret;
+
+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+test_ctx->create_user = true;
+
+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2,
+   "pwd", 1001, 1001, NULL, NULL, NULL,
+   "cn="TEST_USER_NAME2",dc=test",
+   NULL, NULL, 1000, time(NULL)-1);
+assert_int_equal(ret, EOK);
+
+req_mem_ctx = talloc_new(test_ctx->tctx);
+check_leaks_push(req_mem_ctx);
+
+/* Filters always go to DP */
+will_return(__wrap_sss_dp_get_account_send, test_ctx);
+mock_account_recv_simple();
+
+/* User TEST_USER is created with a DP callback. */
+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
+test_ctx->rctx,
+test_ctx->tctx->dom->name,
+"test*");
+assert_non_null(req);
+
+tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx);
+
+ret = test_ev_loop(test_ctx->tctx);
+assert_int_equal(ret, ERR_OK);
+assert_true(check_leaks_pop(req_mem_ctx));
+
+assert_non_null(test_ctx->result);
+assert_int_equal(test_ctx->result->count, 1);
+
+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0],
+  SYSDB_NAME, NULL);
+assert_non_null(ldbname);
+assert_string_equal(ldbname, TEST_USER_NAME);
+}
+
+
 void test_users_by_filter_filter_old(void **state)
 {
 struct cache_req_test_ctx *test_ctx = NULL;
@@ -1476,11 +1523,14 @@ int main(int argc, const char *argv[])
 new_multi_domain_test(group_by_id_multiple_domains_found),
 new_multi_domain_test(group_by_id_multiple_domains_notfound),
 
+new_single_domain_test(user_by_recent_filter_valid),
+
 new_single_domain_test(users_by_filter_filter_old),
 new_single_domain_test(users_by_filter_notfound),
 new_multi_domain_test(users_by_filter_multiple_domains_notfound),
 new_single_domain_test(groups_by_filter_notfound),
 new_multi_domain_test(groups_by_filter_multiple_domains_notfound),
+
 };
 
 /* Set debug level to invalid value so we can deside if -d 0 was used. */
-- 
2.4.3

>From 94d583476335324c4f4b62e547a74241582f807f Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 4 Nov 2015 06:50:33 -0500
Subject: [PATCH 2/8] TEST: Refactor of test_responder_cache_req.c

This patch only defines constant TEST_USER_FILTER. So code will be more
redeable.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_ca

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/13/2015 10:27 AM, Petr Cech wrote:


Patches are rebased now. I hope it will be ok now.

Petr

Sorry, now my local CI tests failed... I will rebase it again.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider

[Petr Cech]

On 11/11/2015 02:28 PM, Jakub Hrozek wrote:

Hi,

I think one of the prime reasons for #2861 was copy-pasting code. The
two attached patches reduce the code duplication and hopefully will make
future additions to Data Provider safer.

Ideas on different solutions are welcome!


Hello Jakub,

I see that the previous thread is pushed. So I have started to do review 
of those patch. Unfortunately the CI tests environment seems to be 
broken at all, however, local tests passed.


Anyway, I have one little question, look to the second patch.




0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch


 From f6e929d4132a23d23a9016e43f4b870780c53032 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 11 Nov 2015 13:39:43 +0100
Subject: [PATCH 1/2] DP: Reduce code duplication in the callback handlers

Instead of calling sbus_request_return_and_finish() directly with the
same checks copied over, add a be_sbus_reply() helper instead.

> ---

[...]


0002-DP-Reduce-code-duplication-in-Data-Provider-handlers.patch


 From caeee4a21bda233f0ec8b08b87a0695029e9af8f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 11 Nov 2015 13:40:16 +0100
Subject: [PATCH 2/2] DP: Reduce code duplication in Data Provider handlers

Instead of setting the three same variables over again, add a structure
be_sbus_reply_data with a default initializer BE_SBUS_REPLY_DATA_INIT.

The handlers can then set the structure to BE_SBUS_REPLY_DATA_INIT on
declaration or set a particular value with be_sbus_reply_data_set.

The handler can also reply to the message (typically on failure state)
with be_sbus_req_reply_data()
---
  src/providers/data_provider_be.c | 266 +++
  1 file changed, 98 insertions(+), 168 deletions(-)

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 
eb2f49adce5f5313f31c67b1dfdd21685e69ca3a..de8a8357b8230eddb7f49fff021957c3f580c64e
 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -319,6 +319,36 @@ static errno_t be_offline_reply(struct sbus_request 
**sbus_req_ptr,
  return ret;
  }

+struct be_sbus_reply_data {
+dbus_uint16_t err_maj;
+dbus_uint32_t err_min;
+const char *err_msg;
+};
+
+#define BE_SBUS_REPLY_DATA_INIT { .err_maj = DP_ERR_FATAL, \

   --^--
What does this dot means? It is first time that I see it. Could you 
explain it to me, please? Is it some kind of syntactic sugar?


Regards

Petr


+  .err_min = EFAULT, \
+  .err_msg = "Fatal error" \
+};

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] IPA_PROVIDER: Explicit no handle of services

[Petr Cech]

On 11/11/2015 02:42 PM, Jakub Hrozek wrote:

Hi, I think it's a good idea to only say we don't handle services for
IPA subdomains. But I also think it would be better to shortcut the
request sooner, in ipa_subdomain_account_send() to avoid even sending an
LDAP query.

Hi Jakub,

new patch is attached. During the testing... I found out, that I use 
wrong set up. Subdomains are connected to FreeIPA with trusted AD.


So... patch is here, but I would like set up my environment properly and 
then I will inform you :-)


Regards

Petr
>From a7d1a734489434df07d7663deb201bac10f01891 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 9 Nov 2015 09:51:05 -0500
Subject: [PATCH] IPA_PROVIDER: Explicit no handle of services

Services for IPA subdomains aren't handled by SSSD. This patch add
quick shortcut to avoid sending an LDAP query.

Resolves:
https://fedorahosted.org/sssd/ticket/2747
---
 src/providers/ipa/ipa_subdomains_id.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 472985d4ab4f785aa9c4af94bf8021829ca1c3c8..66898eb136dd09da5ca034f0e7ba0f54b075fcab 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -81,6 +81,12 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
 struct tevent_req *subreq;
 int ret;
 
+if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_SERVICES)  {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Services for IPA subdomains aren't handled by SSSD.\n");
+return NULL;
+}
+
 req = tevent_req_create(memctx, , struct ipa_subdomain_account_state);
 if (req == NULL) {
 DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCHES] UTIL: Fix memory leak in switch_creds

[Petr Cech]

On 11/11/2015 08:04 AM, Lukas Slebodnik wrote:

On (11/11/15 07:58), Petr Cech wrote:

>On 11/09/2015 08:06 AM, Lukas Slebodnik wrote:

>>ehlo,
>>
>>You can see a leak in talloc report.
>>But it was ignored. So we didn't notice it for long time.
>>http://sssd-ci.duckdns.org/logs/job/29/90/rhel7/ci-build-debug/src/tests/cwrap/become_user-tests.log
>>
>>The first patch fixes the leak and the last one is prevention
>>for such mistakes in future.
>>
>>LS
>>

>Hi Lukáš,
>
>CI tests passed.
>

Could you send a link?

LS

Yes, of course, I could.
And... there is it:
http://sssd-ci.duckdns.org/logs/job/32/54/summary.html
Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCHES] UTIL: Fix memory leak in switch_creds

[Petr Cech]

On 11/09/2015 08:06 AM, Lukas Slebodnik wrote:

ehlo,

You can see a leak in talloc report.
But it was ignored. So we didn't notice it for long time.
http://sssd-ci.duckdns.org/logs/job/29/90/rhel7/ci-build-debug/src/tests/cwrap/become_user-tests.log

The first patch fixes the leak and the last one is prevention
for such mistakes in future.

LS


Hi Lukáš,

CI tests passed.


0001-UTIL-Fix-memory-leak-in-switch_creds.patch

 From 219d1bdd378f0a8c17a508e1f3e29a2d5435f4d0 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Sat, 24 Oct 2015 14:19:11 +0200
Subject: [PATCH 1/5] UTIL: Fix memory leak in switch_creds

If we are already requested used then we needn't to call
setreeuid(), setresgid(). But we forgot to relase local
struct sss_creds *ssc, which is used for returnig saved credentials.
---

ACK


0002-TESTS-Initialize-leak-check.patch

 From 318b862f473daf9606bf7752283a63b36934908b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Sat, 24 Oct 2015 15:39:21 +0200
Subject: [PATCH 2/5] TESTS: Initialize leak check

If leak_check_setup is not called then global_talloc_context
was not initialized and check_leaks_pop(global_talloc_context) will fail.
---

ACK


0003-TESTS-Check-return-value-of-check_leaks_pop.patch

 From 21bf7449bb53209ad24c0ec4079a5810bb6f707b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Sat, 24 Oct 2015 15:15:39 +0200
Subject: [PATCH 3/5] TESTS: Check return value of check_leaks_pop
---

ACK


0004-TESTS-Make-check_leaks-static-function.patch

 From 7e95820146c58e68d9cdf356198d18a3f748ff81 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Fri, 6 Nov 2015 15:13:29 +0100
Subject: [PATCH 4/5] TESTS: Make check_leaks static function
---

ACK


0005-TESTS-Add-warning-for-unused-result-of-leak-check-fu.patch

 From d9e428b18c3282fc877683b1a8228665c5f9d48a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik
Date: Sat, 24 Oct 2015 15:48:26 +0200
Subject: [PATCH 5/5] TESTS: Add warning for unused result of leak check
  functions
---

ACK

Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/10/2015 04:20 PM, Jakub Hrozek wrote:

On Tue, Nov 10, 2015 at 01:22:54PM +0100, Lukas Slebodnik wrote:

>On (10/11/15 13:15), Jakub Hrozek wrote:

> >On Mon, Nov 09, 2015 at 11:32:30AM +0100, Petr Cech wrote:

> >>On 11/04/2015 11:24 AM, Jakub Hrozek wrote:

> >> >Hi,
> >> >
> >> >I created this patch to try to diagnose an issue where sssd would
> >> >randomly restart on any of machines in a VM cluster without giving too
> >> >much advise why. I think it might be useful to merge in general.

> >>
> >>Hi Jakub,
> >>
> >>I reviewed the patch. Code looks good to me.
> >>CI tests passed:http://sssd-ci.duckdns.org/logs/job/32/25/summary.html
> >>
> >>Then I tried to test new functionality.
> >>
> >>Man pages are right, I found diag_cmd in sssd.conf.
> >>
> >>And I really got the right message when I kill sss_pam:
> >># (Mon Nov  9 04:30:47 2015) [sssd] [svc_child_info] (0x0040): Child [25767]
> >>terminated with signal [9]
> >>
> >>I would like to see output of pstack, but I don't know, how to get the right
> >>state of SSSD. Can you help me, please?

> >
> >I tested the patch by setting a low 'timeout' in the 'domain' section
> >and then setting the diag_cmd:
> >[domain/foo]
> >timeout = 2
> >diag_cmd = pstack %p
> >
> >then I stopped the back end:
> ># kill -STOP $(pidof sssd_be)
> >
> >You should see the pstack output in /var/log/sssd/sssd.log, also the
> >debug_level must be increased in the [sssd] section. You might also need
> >to set SELinux to Permissive, otherwise sssd might not be able to fork
> >an exec pstack..

>So in this case I would prefer if this opton was not documented.
>or it should be documented issues with SELinux
>

Hi Jakub,

I just sent the patch to the CI tests and they passed
http://sssd-ci.duckdns.org/logs/job/32/63/summary.html


Then I would prefer undocumented. It matches how we (don't) document the
"command" option.
I agree with little exception. I think it could be more clear if we 
write little documentation to commit message or to the code near the new 
option. But, how everybody wrote, we could leave man page without 
documentation.




A new patch is attached.


0001-SSSD-Add-a-new-command-diag_cmd.patch


 From fb1b8c5fd9fbec475c036563640d7e320d526620 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek<jhro...@redhat.com>
Date: Mon, 2 Nov 2015 11:41:31 +0100
Subject: [PATCH] SSSD: Add a new command diag_cmd

This command is an optional one that is run when a sbus ping times out
and before a SIGKILL commans is sent.

This command supports a single template substitution that expands to the
PID of the service being signaled.
---
  src/confdb/confdb.h  |   1 +
  src/config/SSSDConfig/__init__.py.in |   1 +
  src/config/SSSDConfigTest.py |   1 +
  src/config/etc/sssd.api.conf |   1 +
  src/monitor/monitor.c| 215 +++
  5 files changed, 197 insertions(+), 22 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 
37b5fd7c7629e2618a1699e3ffd58110171db605..0ef7268f9cdc2c18482bbf7b8dbe19d3ef6b7bbf
 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -71,6 +71,7 @@
  #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
  #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
  #define CONFDB_MONITOR_USER_RUNAS "user"
+#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd"

  /* Both monitor and domains */
  #define CONFDB_NAME_REGEX   "re_expression"
diff --git a/src/config/SSSDConfig/__init__.py.in 
b/src/config/SSSDConfig/__init__.py.in
index 
bf61c402796122050fa43cf41128faec4771c5d2..60129e6e7fbc96d11c539323346c22a7db6d7f23
 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -50,6 +50,7 @@ option_strings = {
  'reconnection_retries' : _('Number of times to attempt connection to Data 
Providers'),
  'fd_limit' : _('The number of file descriptors that may be opened by this 
responder'),
  'client_idle_timeout' : _('Idle time before automatic disconnection of a 
client'),
+'diag_cmd' : _('The command to run when a service ping times out'),
This is the reason why I ask for little documentation... because there 
is '%p' template shadowed.




  # [sssd]
  'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 
45562214da5d227b45914abbcb298e043048adf5..abd4a39258e060f27db62eb2352450b6c405930c
 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -307,6 +307,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
  '

Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd

[Petr Cech]

On 11/04/2015 11:24 AM, Jakub Hrozek wrote:

Hi,

I created this patch to try to diagnose an issue where sssd would
randomly restart on any of machines in a VM cluster without giving too
much advise why. I think it might be useful to merge in general.


Hi Jakub,

I reviewed the patch. Code looks good to me.
CI tests passed: http://sssd-ci.duckdns.org/logs/job/32/25/summary.html

Then I tried to test new functionality.

Man pages are right, I found diag_cmd in sssd.conf.

And I really got the right message when I kill sss_pam:
# (Mon Nov  9 04:30:47 2015) [sssd] [svc_child_info] (0x0040): Child 
[25767] terminated with signal [9]


I would like to see output of pstack, but I don't know, how to get the 
right state of SSSD. Can you help me, please?


Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 10/27/2015 09:42 AM, Petr Cech wrote:

The removed tests were:
  * users_by_filter_valid
  * users_by_filter_multiple_domains_valid
  * groups_by_filter_valid
  * groups_by_filter_multiple_domains_valid


Hello,

another patch set is attached.

This patch set covers groups_by_filter_valid by two new tests:
 * group_by_recent_filter_valid
 * groups_by_recent_filter_valid

The first of them tests the recent filter. The second tests interface 
ability to return more groups.



I looked at multiple_domains tests too. But I am afraid I misunderstood 
their purpose. Because users/groups are set with the same domains. I 
will look at it once again.


Regards,

Petr
>From 9c2cf658b62734df71650b568bd1c6be6c4c6e43 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Sun, 1 Nov 2015 07:09:28 -0500
Subject: [PATCH 4/6] TEST: Add test_group_by_recent_filter_valid

Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).

groups_by_filter_valid() --> group_by_recent_filter_valid()
 grous_by_recent_filter_valid()

The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.

The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.

This patch adds group_by_recent_filter_valid().

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 45 +
 1 file changed, 45 insertions(+)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index e4fccdab883f267cced1cf2e9995bd9828242690..77bdde40917b576b2b97d92d9dc23900085a11ae 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1495,6 +1495,50 @@ static void cache_req_group_by_filter_test_done(struct tevent_req *req)
 ctx->tctx->done = true;
 }
 
+void test_group_by_recent_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char *ldbname = NULL;
+errno_t ret;
+
+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+test_ctx->create_group = true;
+
+ret = sysdb_store_group(test_ctx->tctx->dom, TEST_GROUP_NAME2,
+1001, NULL, 1001, time(NULL));
+assert_int_equal(ret, EOK);
+
+sleep(1);
+
+req_mem_ctx = talloc_new(global_talloc_context);
+check_leaks_push(req_mem_ctx);
+
+/* Filters always go to DP */
+will_return(__wrap_sss_dp_get_account_send, test_ctx);
+mock_account_recv_simple();
+
+req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
+ test_ctx->rctx,
+ test_ctx->tctx->dom->name,
+ "test*");
+assert_non_null(req);
+tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx);
+
+ret = test_ev_loop(test_ctx->tctx);
+assert_int_equal(ret, ERR_OK);
+assert_true(check_leaks_pop(req_mem_ctx));
+
+assert_non_null(test_ctx->result);
+assert_int_equal(test_ctx->result->count, 1);
+
+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0],
+  SYSDB_NAME, NULL);
+assert_non_null(ldbname);
+assert_string_equal(ldbname, TEST_GROUP_NAME);
+}
+
 void test_groups_by_filter_notfound(void **state)
 {
 struct cache_req_test_ctx *test_ctx = NULL;
@@ -1615,6 +1659,7 @@ int main(int argc, const char *argv[])
 
 new_single_domain_test(user_by_recent_filter_valid),
 new_single_domain_test(users_by_recent_filter_valid),
+new_single_domain_test(group_by_recent_filter_valid),
 
 new_single_domain_test(users_by_filter_filter_old),
 new_single_domain_test(users_by_filter_notfound),
-- 
2.4.3

>From 4efa3966f20791d65c439ff450b473c6d9419eff Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Sun, 1 Nov 2015 07:21:18 -0500
Subject: [PATCH 5/6] TEST: Refactor of test_responder_cache_req.c

We need little more in backroung of responder_cache_req tests. There
will be tests which will use three test groups. This patch add support
for it.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 20 +++-
 1 file changed, 15 insertions(+), 5 deletio

Re: [SSSD] [PATCH] sudo: remove unused param name in sdap_sudo_get_usn()

[Petr Cech]

On 11/02/2015 03:09 PM, Petr Cech wrote:

On 11/02/2015 03:03 PM, Pavel Reichl wrote:

Hello,

please see simple patch attached.

Thanks!


LGTM, I am waiting for CI :-)

Petr


CI tests passed:
http://sssd-ci.duckdns.org/logs/job/31/85/summary.html

=> ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] sudo: remove unused param name in sdap_sudo_get_usn()

[Petr Cech]

On 11/02/2015 03:03 PM, Pavel Reichl wrote:

Hello,

please see simple patch attached.

Thanks!


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


LGTM, I am waiting for CI :-)

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 10/21/2015 03:19 PM, Petr Cech wrote:

On 10/12/2015 11:37 AM, Jakub Hrozek wrote:

> From a15acee2495ee12190e711f3344e14c54fc73062 Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Wed, 7 Oct 2015 08:57:15 -0400
>Subject: [PATCH 10/11] KRB5_CHILD: More restrictive umask
>
>We could use more restrictive umask in krb5_child. I found out that
>there is directory creation, but it is done by create_ccache_dir()
>which has its own umask setup.
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2424
>---
>  src/providers/krb5/krb5_child.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/src/providers/krb5/krb5_child.c
b/src/providers/krb5/krb5_child.c
>index
69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8
100644
>--- a/src/providers/krb5/krb5_child.c
>+++ b/src/providers/krb5/krb5_child.c
>@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char
*ccname, krb5_creds *creds)
>  #endif
>
>  /* Set a restrictive umask, just in case we end up creating
any file */
>-umask(SSS_DFL_X_UMASK);
>+umask(SSS_DFL_UMASK);

I think this change is OK, as you say, the directories might need the
executable flag, but then the directory-creating code should make sure
the permissions are more relaxed..

I checked it again. It is OK.



btw I tested both FILE ccache:
 krb5_ccname_template =FILE:/tmp/ccache_%p.XX
the result looked OK to me:
 # ll /tmp/ccache_ad...@ipa.test.KDaxgn
 -rw---. 1 admin admins 1041 Oct 12 09:14
/tmp/ccache_ad...@ipa.test.KDaxgn
and DIR ccache:
 krb5_ccname_template = DIR:/tmp/ccaches/ccache_%p
also looked good:
 # ll -d/tmp/ccaches/
 drwx--. 3 admin admins 4096 Oct 12 09:31/tmp/ccaches/
 # ll -d/tmp/ccaches/ccache_ad...@ipa.test/
 drwx--. 2 admin admins 4096 Oct 12
09:31/tmp/ccaches/ccache_ad...@ipa.test/
 # ll /tmp/ccaches/ccache_ad...@ipa.test
 -rw---. 1 admin admins   10 Oct 12 09:31 primary
 -rw---. 1 admin admins 1041 Oct 12 09:31 tktrg2WYD


>
>  /* we create a new context here as the main process one may
have been
>   * opened as root and contain possibly references (even open
handles ?)
>--
>2.4.3
>
> From 6085c5ce86e6ba79f29d2c18f6fceca9bab5cecb Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Wed, 7 Oct 2015 09:32:12 -0400
>Subject: [PATCH 11/11] UTILS: Removing SSS_DFL_X UMASK constant

077 is still used in sss_unique_file(). So we can either use SSS_DFL_X
umask there or convert to non-executable umask. Either way, I think it's
OK to keep SSS_DFL_X even though it's unused right now for later use.
It's just a constant.

OK, SSS_DFL_X_UMASK is still here, but not used in code.



sss_unique_file is used to generate kdcinfo files, where non-x would be
OK because later we fchmod to 644 anyway:
  ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);

..and also used in gpo_cache_store_file() which uses the same pattern..


I rewrote DFL_X to DFL in sss_unique_file().


...then also in sss_unique_filename() which is used to create dummy
keytabs in ipa_server_trusted_dom_setup_1way(), handle_randomized() and
ldap_child_get_tgt_sync(). Now:
 - ipa_server_trusted_dom_setup_1way() - safe to change, we only
use it
 to get a unique filename, the contents are filled with ipa-getkeytab
 - handle_randomized() - safe to change, libkrb5 unlinks the unique
   file later, so we just really need the filename
 - ldap_child_get_tgt_sync() - ditto, only used as input for
   krb5_cc_resolve()


The third patch is about redudant constant.

And at the end, there are may uses of umask() in CI tests, which I leave
how they are. They could be test relevant. Maybe I will touch it in some
future patch.

The last umask like constant is 644, which is connected to chmod(),
open(), etc. Do we want to have a constant for it?

Regards

Petr


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


bump
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

On 11/04/2015 11:11 AM, Jakub Hrozek wrote:

Hi,

Sorry it took so long to get back to the review.  I only have some minor
comments, see inline..

Because the group patches are more or less equivalent, I'll just comment
here. If you agree with the comments, please also change the group tests
and resend in a single set.

Thanks for the tests!


> From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Fri, 2 Oct 2015 07:34:08 -0400
>Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid
>
>Test users_by_filter_valid() was removed in past. We will add two new
>tests instead of it. Logic of those tests is connected to RECENT
>filter. It returns only records which have been wrote or updated after
>filter was created (or another given time).
>
>users_by_filter_valid() --> user_by_recent_filter_valid()
> users_by_recent_filter_valid()
>
>The first of new tests, user_by_recent_filter_valid(), counts with two
>users. One is stored before filter request creation and the second user
>is stored after filter request creation. So filter returns only one
>user.
>
>The second of new tests, users_by_recent_filter_valid(), counts with
>three users. One is stored before filter request creation and two users
>are stored after filter request creation. So filter returns two users.
>
>This patch adds user_by_recent_filter_valid().
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2730
>---
>  src/tests/cmocka/test_responder_cache_req.c | 50 
+
>  1 file changed, 50 insertions(+)
>
>diff --git a/src/tests/cmocka/test_responder_cache_req.c 
b/src/tests/cmocka/test_responder_cache_req.c
>index 
744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 
100644
>--- a/src/tests/cmocka/test_responder_cache_req.c
>+++ b/src/tests/cmocka/test_responder_cache_req.c
>@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct 
tevent_req *req)
>  ctx->tctx->done = true;
>  }
>
>+void test_user_by_recent_filter_valid(void **state)
>+{
>+struct cache_req_test_ctx *test_ctx = NULL;
>+TALLOC_CTX *req_mem_ctx = NULL;
>+struct tevent_req *req = NULL;
>+const char *ldbname = NULL;
>+errno_t ret;
>+
>+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
>+test_ctx->create_user = true;
>+
>+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 
1001,
>+   NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", 
NULL,
>+   NULL, 1000, time(NULL));
>+assert_int_equal(ret, EOK);
>+
>+sleep(1);

The purpose of the sleep() here is just to make sure the entry was
created in the past, right? Would it be equally safe to create the user
with timestamp time(NULL)-1 to make the test faster?


>+
>+req_mem_ctx = talloc_new(test_ctx->tctx);
>+check_leaks_push(req_mem_ctx);
>+
>+/* Filters always go to DP */
>+will_return(__wrap_sss_dp_get_account_send, test_ctx);
>+mock_account_recv_simple();

Can you add a comment that the TEST_USER is created with a DP callback
here?


>+
>+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
>+test_ctx->rctx,
>+test_ctx->tctx->dom->name,
>+"test*");

It would read nicer if we had a constant TEST_USER_PREFIX "test_user" #defined,
or even TEST_USER_FILTER with the asterist.


>+assert_non_null(req);
>+
>+tevent_req_set_callback(req, cache_req_user_by_filter_test_done, 
test_ctx);
>+
>+ret = test_ev_loop(test_ctx->tctx);
>+assert_int_equal(ret, ERR_OK);
>+assert_true(check_leaks_pop(req_mem_ctx));
>+
>+assert_non_null(test_ctx->result);
>+assert_int_equal(test_ctx->result->count, 1);
>+
>+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0],
>+  SYSDB_NAME, NULL);
>+assert_non_null(ldbname);
>+assert_string_equal(ldbname, TEST_USER_NAME);
>+}
> From c2e87544dfbc0667e1b935394d697322b34dddeb Mon Sep 17 00:00:00 2001
>From: Petr Cech<pc...@redhat.com>
>Date: Tue, 27 Oct 2015 03:53:18 -0400
>Subject: [PATCH 2/3] TEST: Refactor of test_responder_cache_req.c
>
>We need little more in background of responder_cache_req tests. There
>will be tests which will use three test users. This patch add support
>for it.
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2730
>---
>  src/te

Re: [SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

ping
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 10/04/2015 09:39 PM, Jakub Hrozek wrote:

Finally, because I'm a lazy reviewer, I would prefer:
 - a patch that converts 0177 to DFL, with a comment around the macro
   definition that this is the default secure umask
 - a patch that converts 0077 to DFL_X, with a comment around DFL_X
   definition that unless executable bit is explicitly needed, DFL
   should be used
 - a patch per change if we need to tighten the existing umasks
   further.


Hi Jakub,

I put more care and expanded review of umask in several patches.

Patch 0005-P11-CHILD-NSS was discussed with Sumit (thanks).

I'd like to ask about any special care at patch 0010-KRB5-CHILD.
I investigated it, but second look will be better.

Regards

Petr
>From 97f8c14b58f29cf3ce341ead29f17204faa60f3d Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 5 Oct 2015 09:38:10 -0400
Subject: [PATCH 01/11] REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)

There are many calls of umask function with 0177 argument. This patch
add new constant SSS_DFL_UMASK which stands for 0177. So all occurences
of umask(0177) (except responder code) are replaced by constant
SSS_DFL_UMASK.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
 src/confdb/confdb.c | 2 +-
 src/util/debug.c| 2 +-
 src/util/server.c   | 5 ++---
 src/util/util.h | 3 +++
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d811f7cbf597db5c5ee5fa658c8864233da8f2e0..0f76a3d140ec832467c8382df088ac0e279207c0 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx,
 return EIO;
 }
 
-old_umask = umask(0177);
+old_umask = umask(SSS_DFL_UMASK);
 
 ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
 umask(old_umask);
diff --git a/src/util/debug.c b/src/util/debug.c
index 69df54386101973548108c3194a1bfd111f046f0..bd13fdecdbd37da8e13ed492c115570657d2588c 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -362,7 +362,7 @@ int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec)
 
 if (debug_file && !filep) fclose(debug_file);
 
-old_umask = umask(0177);
+old_umask = umask(SSS_DFL_UMASK);
 errno = 0;
 f = fopen(logpath, "a");
 if (f == NULL) {
diff --git a/src/util/server.c b/src/util/server.c
index 7e9b76f74ee5e76d2481eb425eff4811cc2e780e..036dace044c1e2c3efbb2411f39bdfd3f9616db4 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -490,9 +490,8 @@ int server_setup(const char *name, int flags,
 
 setup_signals();
 
-/* we want default permissions on created files to be very strict,
-   so set our umask to 0177 */
-umask(0177);
+/* we want default permissions on created files to be very strict */
+umask(SSS_DFL_UMASK);
 
 if (flags & FLAGS_DAEMON) {
 DEBUG(SSSDBG_IMPORTANT_INFO, "Becoming a daemon.\n");
diff --git a/src/util/util.h b/src/util/util.h
index f9fe1ca7189c6b2cdcb29f143005b20a2d969fee..9658d79fe9a0062b46188f2e7a97aaaebdeff29e 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -64,6 +64,9 @@
 #define SSS_ATTRIBUTE_PRINTF(a1, a2)
 #endif
 
+/** Default secure umask */
+#define SSS_DFL_UMASK 0177
+
 extern const char *debug_prg_name;
 extern int debug_level;
 extern int debug_timestamps;
-- 
2.4.3

>From eab27ab030d0efe44ae25e2313bbee40db5cc9d4 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 5 Oct 2015 09:51:20 -0400
Subject: [PATCH 02/11] REFACTOR: DFL_RSP_UMASK constant in responder code

There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
 src/responder/common/responder_common.c | 3 ++-
 src/responder/pam/pamsrv.c  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 2097004cb0fc24d8b356f9d924243f948227ef58..baaf0412b4a70537a2523a98ff33d8f34f194b47 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -690,7 +690,8 @@ static int set_unix_socket(struct resp_ctx *rctx)
 if (rctx->priv_sock_name != NULL ) {
 /* create privileged pipe */
 if (rctx->priv_lfd == -1) {
-ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, 0177);
+ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd,
+ DFL_RSP_UMASK);
 if (ret != EOK) {
 goto failed;
 }
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 3fe467c3cfc4c63b9c261065a17a54c20ea4a546..6ac770b7ac80676824cd572444359b96279902f7 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -396,7 +396,8 @@ i

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 10/12/2015 11:37 AM, Jakub Hrozek wrote:

On Wed, Oct 07, 2015 at 03:55:17PM +0200, Petr Cech wrote:

On 10/04/2015 09:39 PM, Jakub Hrozek wrote:

Finally, because I'm a lazy reviewer, I would prefer:
 - a patch that converts 0177 to DFL, with a comment around the macro
   definition that this is the default secure umask
 - a patch that converts 0077 to DFL_X, with a comment around DFL_X
   definition that unless executable bit is explicitly needed, DFL
   should be used
 - a patch per change if we need to tighten the existing umasks
   further.


Hi Jakub,

I put more care and expanded review of umask in several patches.

Patch 0005-P11-CHILD-NSS was discussed with Sumit (thanks).

I'd like to ask about any special care at patch 0010-KRB5-CHILD.
I investigated it, but second look will be better.

Regards

Petr


Thanks, this is much easier to review!


 From 97f8c14b58f29cf3ce341ead29f17204faa60f3d Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 5 Oct 2015 09:38:10 -0400
Subject: [PATCH 01/11] REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)

There are many calls of umask function with 0177 argument. This patch
add new constant SSS_DFL_UMASK which stands for 0177. So all occurences
of umask(0177) (except responder code) are replaced by constant
SSS_DFL_UMASK.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---


ACK


 From eab27ab030d0efe44ae25e2313bbee40db5cc9d4 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 5 Oct 2015 09:51:20 -0400
Subject: [PATCH 02/11] REFACTOR: DFL_RSP_UMASK constant in responder code

There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.

Resolves:
https://fedorahosted.org/sssd/ticket/2424


ACK, but what do you think about changing the definition of
DFL_RSP_UMASK to:
 #define DFL_RSP_UMASK SSS_DFL_UMASK

Done.



 From 3c9b9d9046082b6a4b586d7bdd02c9ec1eee0749 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Mon, 5 Oct 2015 10:12:36 -0400
Subject: [PATCH 03/11] REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)

There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.

Resolves:
https://fedorahosted.org/sssd/ticket/2424


ACK


 From 1cfd7467ac939e2d12c18f8852402ea9c3305379 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 6 Oct 2015 03:04:44 -0400
Subject: [PATCH 04/11] REFACTOR: SCKT_RSP_UMASK constant in responder code

This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And
it replaces all occurances in responder code.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
  src/responder/common/responder.h| 4 
  src/responder/common/responder_common.c | 2 +-
  src/responder/pam/pamsrv.c  | 2 +-
  3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 
4d927cfe321bf3ad240b7c175568081ea73ab652..ef072d5c72371a7033f5462001c22471ccbf5abf
 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -43,6 +43,10 @@ extern hash_table_t *dp_requests;
   * so set our umask to 0177 */
  #define DFL_RSP_UMASK 0177

+/* Sockets must be readable and writable by anybody on the system.


I would add "Public sockets" here, because we also have a private PAM
socket that's only open for root:
 # ll /var/lib/sss/pipes/private/pam
 srw---. 1 root root 0 Oct 10 22:28 /var/lib/sss/pipes/private/pam


Done.

 From 0a43a4febf56b8429d05dd448c5ee8800d1a8d21 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 6 Oct 2015 07:05:57 -0400
Subject: [PATCH 05/11] P11_CHILD_NSS: More restrictive permissions

p11_child_nss runs as root and we must be carefull about security. This
patch adds more restrictive permissions on it. There is no reason for
0077, so we use 0177 umask.

Resolves:
https://fedorahosted.org/sssd/ticket/2424


ACKed also by Sumit.


 From 820c4edd0cc0ba2a43d363cbbb79aab2fcad6b37 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 6 Oct 2015 07:57:17 -0400
Subject: [PATCH 06/11] UTILS: More restrictive permissions in domain_info

There are two occurances of creating temp. file under SSS_DFL_X_UMASK
permissions which enable possibility to grant executable permission.
After writting to those temp. files, they are renamed and they
get 0644 permissions. So SSS_DFL_UMASK is good enough fot this case.

Resolves:
https://fedorahosted.org/sssd/ticket/2424


ACK, I verified the permissions on domain mappings and krb5_localauth
files is still 644:
 # ll /var/lib/sss/pubconf/krb5.include.d/
 total 8
 -rw-r--r--. 1 root root 387 Oct 12 09:06 domain_realm_ipa_test
 -rw-r--r--. 1

Re: [SSSD] [PATCH] SDAP: rem warning - sizelimit exceeded in POSIX check

[Petr Cech]

Hi everyone,

we just discussed 'function wrapper' topic offline.

I agree that it is not ideal to add new parameter to the function. And I 
agree that in languages like C, we have return value model.


On the other hand, we have clean code on our minds. So I think that 
wrappers like:


#  int func(a, b, c, d);
#  int func_with_warns(a,b,c,d);

are better if we use func() very often. Why? The reason is that we look 
at func() as to something which do one thing or one thing with printing 
warnings. So we can quickly check if every occurrences are right or not. 
It could be confusing if we needed to check something like:


#  int ret;
#  ret = func(a,b,c,d);
#  if (ret != EOK) {
#  }
#  ...
#  if (ret == WARNS) {
#LOG(...);
#  }

Regards

Petr

PS: I didn't read the thread, so it is only my 2 cents.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate

[Petr Cech]

On 09/03/2015 04:02 PM, Petr Cech wrote:

I just updated the wiki pages. I will send another mail for it.

But in this thread, I would like to note, what is exactly done.

Original pages:
[ 1] https://fedorahosted.org/sssd/wiki/Contribute
[ 2] https://fedorahosted.org/sssd/wiki/DevelTips
[ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials
[ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
[ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle
[ 6] https://fedorahosted.org/sssd/wiki/Repositories

Content of [3] has been divided between [1] and [3], content of [5]
has been divided between [1] and [4]. Then [3,5,6] will be deleted.
There is a little mistake, content of [3] has been divided between [2,4] 
I just checked it.




Test of new pages:
[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

UPDATE:
[ 7] --> [ 1]
[ 8] --> [ 2]
[ 9] --> [ 4]
Pages [7,8,9] exist still, but we could remove it.
Pages [3,5,6] exist too, but I hope, no links target them. We could
remove it too.

I am sorry, but after this ticket I am blind on wiki. Could somebody
check, that I did update properly? Thanks.

Petr


Hi,

some time ago I edited wiki pages. The exact changes are described in 
the previous email.
Today I erased the pages ([7,8,9] and [3,5,6]) that were marked for 
deletion. Its copies is attached.


Regards

Petr


removed_wiki_pages.tar.gz
Description: application/gzip


remved_temp_pages.tar.gz
Description: application/gzip
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

Hi!

https://fedorahosted.org/sssd/ticket/2703

It's my first patch to this ticket. It is simple transforming of number 
of command to the string.


Petr
From ca782a1518480635ef60bc2cdf77d9b8644132b0 Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Wed, 8 Jul 2015 07:17:28 -0400
Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command

Improvement of debug messages.
Instead of:(0x0400): Running command [17] with...
We could see:(0x0400): Running command [SSS_NSS_GETPWNAM] with...

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
 src/responder/nss/nsssrv_cmd.c |  29 +++---
 src/sss_client/pam_sss.c   |   7 +-
 src/tools/tools_mc_util.c  |   4 +-
 src/util/sss_log.c | 215 +
 src/util/util.h|   4 +
 5 files changed, 242 insertions(+), 17 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 0129467302f16af3180a5be47ff2e235da65..421048ec71891b87f6be08efe41fa7c48c97cfaa 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1312,7 +1312,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx)
 case SSS_NSS_GETORIGBYNAME:
 break;
 default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n,
+  sss_cli_command_2string(cmd));
 return EINVAL;
 }
 
@@ -1347,8 +1348,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx)
 
 rawname = (const char *)body;
 
-DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with input [%s].\n,
-   dctx-cmdctx-cmd, rawname);
+DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with input [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd), rawname);
 
 if (dctx-cmdctx-cmd == SSS_NSS_GETSIDBYNAME) {
 ret = nss_check_name_of_well_known_sid(cmdctx, rawname);
@@ -1737,7 +1738,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 case SSS_NSS_GETSIDBYID:
 break;
 default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n,
+  sss_cli_command_2string(cmd));
 return EINVAL;
 }
 
@@ -1766,8 +1768,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 }
 SAFEALIGN_COPY_UINT32(cmdctx-id, body, NULL);
 
-DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with id [%PRIu32].\n,
-  dctx-cmdctx-cmd, cmdctx-id);
+DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with id [%PRIu32].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd), cmdctx-id);
 
 switch(dctx-cmdctx-cmd) {
 case SSS_NSS_GETPWUID:
@@ -1805,8 +1807,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 }
 break;
 default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n,
-dctx-cmdctx-cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd));
 ret = EINVAL;
 goto done;
 }
@@ -1851,8 +1853,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 }
 break;
 default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n,
-dctx-cmdctx-cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd));
 ret = EINVAL;
 }
 
@@ -5172,7 +5174,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 size_t bin_sid_length;
 
 if (cmd != SSS_NSS_GETNAMEBYSID  cmd != SSS_NSS_GETIDBYSID) {
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n,
+  sss_cli_command_2string(cmd));
 return EINVAL;
 }
 
@@ -5214,8 +5217,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx)
 goto done;
 }
 
-DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with SID [%s].\n,
-   dctx-cmdctx-cmd, sid_str);
+DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with SID [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd), sid_str);
 
 cmdctx-secid = talloc_strdup(cmdctx, sid_str);
 if (cmdctx-secid == NULL) {
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index e4fa83e12c71bb05dd329686cf2d2df6323ff3bd..90fae56764854d7856b3ee327c18ab6608ff2f6d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -43,6 +43,7 @@
 #include pam_message.h
 #include util/atomic_io.h
 #include util/authtok-utils.h
+#include util/util.h
 
 #include libintl.h
 #define _(STRING) dgettext (PACKAGE

Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

On 07/08/2015 02:46 PM, Pavel Reichl wrote:

On 07/08/2015 02:13 PM, Petr Cech wrote:

Hi!

https://fedorahosted.org/sssd/ticket/2703

It's my first patch to this ticket. It is simple transforming of 
number of command to the string.


Petr

Hello Petr,

thank for the patch!

I haven't tested the patch yet, but I have some nitpicks. Please see 
inline.


0001-UTIL-Function-2string-for-enum-sss_cli_command.patch


 From ca782a1518480635ef60bc2cdf77d9b8644132b0 Mon Sep 17 00:00:00 2001
From: Petr Cechpc...@redhat.com
Date: Wed, 8 Jul 2015 07:17:28 -0400
Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command

Improvement of debug messages.
Instead of:(0x0400): Running command [17] with...
We could see:(0x0400): Running command [SSS_NSS_GETPWNAM] with...

Resolves:
https://fedorahosted.org/sssd/ticket/2703
Is this the right ticket? Subject of the ticket is Need better 
libhbac debuging added to sssd but I don't think this patch relates 
to libhbac, right?
Pavel, you're right, it is not the right ticket. I was looking to 
Improving the debug messages thread and I would like to start with 
small improvement. Logging messages could be more on user side. So I 
will create new ticket for it.

---
  src/responder/nss/nsssrv_cmd.c |  29 +++---
  src/sss_client/pam_sss.c   |   7 +-
  src/tools/tools_mc_util.c  |   4 +-
  src/util/sss_log.c | 215 +
  src/util/util.h|   4 +
  5 files changed, 242 insertions(+), 17 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 
0129467302f16af3180a5be47ff2e235da65..421048ec71891b87f6be08efe41fa7c48c97cfaa
 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1312,7 +1312,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, 
struct cli_ctx *cctx)
  case SSS_NSS_GETORIGBYNAME:
  break;
  default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n,
+  sss_cli_command_2string(cmd));
  return EINVAL;
  }
I think that removing the number value might be a little too much. 
There might be people used to it. So I think that showing both might 
be the best option. Please see how we use 'sss_strerror' which is 
similar to your function.

Are there other opinions?

Thank you, I'll be inspired.

  
@@ -1347,8 +1348,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx)
  
  rawname = (const char *)body;
  
-DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with input [%s].\n,

-   dctx-cmdctx-cmd, rawname);
+DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with input [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd), rawname);
  
  if (dctx-cmdctx-cmd == SSS_NSS_GETSIDBYNAME) {

  ret = nss_check_name_of_well_known_sid(cmdctx, rawname);
@@ -1737,7 +1738,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, 
struct cli_ctx *cctx)
  case SSS_NSS_GETSIDBYID:
  break;
  default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n,
+  sss_cli_command_2string(cmd));
  return EINVAL;
  }
  
@@ -1766,8 +1768,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx)

  }
  SAFEALIGN_COPY_UINT32(cmdctx-id, body, NULL);
  
-DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with id [%PRIu32].\n,

-  dctx-cmdctx-cmd, cmdctx-id);
+DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with id [%PRIu32].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd), cmdctx-id);
  
  switch(dctx-cmdctx-cmd) {

  case SSS_NSS_GETPWUID:
@@ -1805,8 +1807,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, 
struct cli_ctx *cctx)
  }
  break;
  default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n,
-dctx-cmdctx-cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd));
  ret = EINVAL;
  goto done;
  }
@@ -1851,8 +1853,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, 
struct cli_ctx *cctx)
  }
  break;
  default:
-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n,
-dctx-cmdctx-cmd);
+DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n,
+  sss_cli_command_2string(dctx-cmdctx-cmd));
  ret = EINVAL;
  }
  
@@ -5172,7 +5174,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx)

  size_t bin_sid_length;
  
  if (cmd != SSS_NSS_GETNAMEBYSID  cmd != SSS_NSS_GETIDBYSID) {

-DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd);
+DEBUG

[SSSD] [WIKI] Contribute and DevelTips are duplicate

[Petr Cech]

Hi,

I've read the wiki according to
#  https://fedorahosted.org/sssd/ticket/2706
and I think that it could be helpful clean the page
#  https://fedorahosted.org/sssd/wiki/DevelTutorials
from git topic and create new page for everything related to git.

The motivation is, that:
* Contribute briefly describe whole process on basic level,
* DevelTips looks like How To,
* DevelTutorials are more about technologies, libraries, build process...,
* So there could be one page for everything about git.


NOTES how we could edit wiki:

https://fedorahosted.org/sssd/wiki/Contribute

Contribute
Contribution Policy
Source Code Repository  /*
 * There could be only a link to the 
repo and

 * reference to New Git page.
 */
Tips and tricks for developers
QA, Development and Bug Triage
Development Repositories
Localization and Internationalization
Design Pages
Credits
Latest Documentation and Presentations


https://fedorahosted.org/sssd/wiki/DevelTips

SSSD Devel page
Are there any introductory tutorials available?
/* + Reference to the new Git page */
When I debug an SSSD process in a debugger, it always gets 
killed with …

Using valgrind to identify memory access problems
Using strace to track the SSSD processes
How do I track work-in-progress of other developers?  /*
* Is it
* still valid?
*
* I tried link
* for jhrozek and
* his sssd.git
* and the url
* doesn't exist.
*/
Why does make check take so long?
Using clang to perform static analysis of source code
When I compile the SSSD from source there is an error that says …


https://fedorahosted.org/sssd/wiki/DevelTutorials

/*
 * Label @new-git-page means
 * that I would like move given paragraph to the New git page
 */

Talloc
Tevent and tevent_req
Coding Style
Code Contributions   /* @new-git-page */
Getting the source   /* @new-git-page */
Building SSSD for development and debugging
Unit tests
Submitting a patch upstream  /* @new-git-page */
Patch metadata   /* @new-git-page */
Translation Contributions
Devel Tips


New Git page /* Maybe Git Tips? */

+ paragraph about git setup from Contribute-Source Code Repository
+ some paragraphs of DevelTutorials-Code Contributions


I am looking forward your opinions.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

Hi!

There is my repaired patch. All of yours comments were helpful.

I renamed the function to sss_cmd2str(), but maybe it could be 
sss_cli_cmd2str(). I am not sure with it, but if it is better, I will 
rename it again.


Petr

On 07/08/2015 03:26 PM, Sumit Bose wrote:

On Wed, Jul 08, 2015 at 02:13:42PM +0200, Petr Cech wrote:

Hi!

https://fedorahosted.org/sssd/ticket/2703

It's my first patch to this ticket. It is simple transforming of number of
command to the string.

Hi Petr,

welcome and thank you for your first patch. Besides Pavel's suggestions
I have some general comments as well.

- There is pamcmd2str() which does a similar job for the backend code
   but I think it is becoming redundant with your patch. Can you remove
   this call and use your's where appropriate?

- I haven't tested it, but I'm pretty sure that the PAM module pam_sss
   which is build from pam_sss.c and some other files is broken in debug
   mode with your patch because sss_log.c is not used when building it and
   hence sss_cli_command_2string() will be undefined. You do not see this
   during compilation or even during 'make check' because the 'D' macro
   is only evaluate if PAM_DEBUG is defined during compilation. If you
   run something like 'make CFLAGS+=-DPAM_DEBUG check' the dlopen test
   should fail with your patch.

   Since the PAM module pam_sss.so might be loaded by any kind of
   processes at runtime we try to keep it as simple as possible and try
   to add as few dependencies as possible. If you search the Makefile.am
   for pam_sss_la_SOURCES you will see that besides source files from the
   sss_client directory we only add atomic_io.c and authtok-utils.c which
   both contain only a single function with no special dependencies.

   I would suggest that you put sss_cli_command_2string() in a file on
   its own similar like atomic_io.c or authtok-utils.c. And add this file
   to pam_sss_la_SOURCES and libsss_debug_la_SOURCES in Makefile.am. I
   leave it up to you to decide what would be a good place for this file.
   The sss_client directory because the enum sss_cli_command is defined
   here as well or the util directory because the main usage for it is in
   the SSSD code and not in the pam_sss module.

bye,
Sumit
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


From 8b3ae05fc97f548256dc8b72863183b9dc9a539a Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Wed, 8 Jul 2015 07:17:28 -0400
Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command

Improvement of debug messages.
Instead of:(0x0400): Running command [17]...
We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]...

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
 Makefile.am  |   4 +-
 src/providers/dp_pam_data_util.c |  27 +
 src/responder/nss/nsssrv_cmd.c   |  30 +++---
 src/sss_client/pam_sss.c |   6 +-
 src/tools/tools_mc_util.c|   4 +-
 src/util/sss_cli_cmd.c   | 219 +++
 src/util/sss_cli_cmd.h   |   9 ++
 src/util/sss_log.c   |   2 -
 8 files changed, 256 insertions(+), 45 deletions(-)
 create mode 100644 src/util/sss_cli_cmd.c
 create mode 100644 src/util/sss_cli_cmd.h

diff --git a/Makefile.am b/Makefile.am
index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..f16b8ebdb4dd66c2d193c19bd8355782f4de4c9a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -678,7 +678,8 @@ endif
 pkglib_LTLIBRARIES += libsss_debug.la
 libsss_debug_la_SOURCES = \
 src/util/debug.c \
-src/util/sss_log.c
+src/util/sss_log.c \
+src/util/sss_cli_cmd.c
 libsss_debug_la_LIBADD = \
 $(SYSLOG_LIBS)
 libsss_debug_la_LDFLAGS = \
@@ -2654,6 +2655,7 @@ pam_sss_la_SOURCES = \
 src/sss_client/sss_cli.h \
 src/util/atomic_io.c \
 src/util/authtok-utils.c \
+src/util/sss_cli_cmd.c \
 src/sss_client/sss_pam_macros.h \
 src/sss_client/sss_pam_compat.h
 
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 8724bf936f3f46fb8393c8a3da57215a73b4191a..10e91f5f7286db5e76ad98b6c7519f2482d006db 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -23,33 +23,10 @@
 */
 
 #include providers/data_provider.h
-
+#include util/sss_cli_cmd.h
 
 #define PAM_SAFE_ITEM(item) item ? item : not set
 
-static const char *pamcmd2str(int cmd) {
-switch (cmd) {
-case SSS_PAM_AUTHENTICATE:
-return PAM_AUTHENTICATE;
-case SSS_PAM_SETCRED:
-return PAM_SETCRED;
-case SSS_PAM_ACCT_MGMT:
-return PAM_ACCT_MGMT;
-case SSS_PAM_OPEN_SESSION:
-return PAM_OPEN_SESSION;
-case SSS_PAM_CLOSE_SESSION:
-return PAM_CLOSE_SESSION;
-case SSS_PAM_CHAUTHTOK:
-return PAM_CHAUTHTOK;
-case SSS_PAM_CHAUTHTOK_PRELIM:
-return PAM_CHAUTHTOK_PRELIM;
-case SSS_PAM_PREAUTH

Re: [SSSD] Code style -- for loop iterative variables initial declaration

[Petr Cech]

On 08/28/2015 09:18 AM, Lukas Slebodnik wrote:

On (28/08/15 09:03), Petr Cech wrote:

Hi everyone,

I would like to ask you what you think about the initialization of iterative
variables in forloops. I know that present code style does not allow it. But
how I recognized, we use C99, and this feature is here now.

(example)
Instead of:|
|||# inti;
# for(i =0;...)|||
we could write:
||# for(inti =0;...)|

^
 There is a synteax error;
 variable inti is not definded :-)
 s/inti/int i/


Sorry for typo. My mail client plays game with me.


otherwise +1

and there are also precedents in sssd code.
src/lib/sifp/sss_sifp_parser.c:434:for (unsigned int i = 0;
src/providers/ipa/ipa_init.c:103:for (int i = 0; list[i]; i++) {
src/tests/ipa_ldap_opt-tests.c:267:for (int i=0; i  SDAP_OPTS_BASIC; i++) {
src/tools/tools_mc_util.c:173:for (size_t i = 0; i  steps_count; ++i) {
src/util/domain_info_utils.c:74:for (int i=0; parent-sd_enumerate[i]; 
i++) {

LS
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] sss_override: document --debug options

[Petr Cech]

On 08/28/2015 03:13 PM, Petr Cech wrote:

I am doing code review for fixed patch now. Patch looks good to me and
it works.

I discussed the problem above (about fprintf vs. libpopt) with both
offline. The libpopt solution starts here [1] and I agree it would not
be straightforward. So I am inclined to the solution presented in the
patch.

Regards

Petr

[1] src/tools/sss_override.c:1412

PS: I am waiting for CI tests.


CI: http://sssd-ci.duckdns.org/logs/job/23/84/summary.html
Failing is not connected to this patch.

= ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] sss_override: document --debug options

[Petr Cech]

On 08/28/2015 12:25 PM, Pavel Březina wrote:



I would be also curious why you need to provide hacks
for printing argument description for autohelp.
There is a much more elegant way how to do it with libpopt.
(small hint POPT_ARGFLAG_DOC_HIDDEN in sss_tool_common_opts)


Your curiosity is remarkable, though I have no idea why are you
hinting this
flag.


because I cannot see a reason why we should
write tool tip with fprintf if
there is a way with libpopt.


Because there is a way, but not an straight-forward and elegant way.
Since there is only one option and the list is not likely to be
extended, there is no problem with doing it this way.


It's not a NACK but I do not like your solution
so I will not ACK it either. You need to find someone else.


I'm completely fine with this.



LS


I am doing code review for fixed patch now. Patch looks good to me and 
it works.


I discussed the problem above (about fprintf vs. libpopt) with both 
offline. The libpopt solution starts here [1] and I agree it would not 
be straightforward. So I am inclined to the solution presented in the patch.


Regards

Petr

[1] src/tools/sss_override.c:1412

PS: I am waiting for CI tests.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] TESTS: ldap_id_cleanup timeouts

[Petr Cech]

On 08/27/2015 05:49 PM, Michal Židek wrote:


I agree. Attached is the same patch that was already ACKed,
just with the changed name and added const.

Michal


Yes, it is the same, with const.

ACK again.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

On 08/27/2015 01:26 PM, Lukas Slebodnik wrote:

Petr,
what do you think about small simplification.

  #include providers/data_provider_req.h

+#define be_req_to_str(req_type, be_req_t) \
+((req_type)  BE_REQ_FAST) \
+? FAST  #be_req_t \
+: #be_req_t
+
  const char *be_req2str(dbus_uint32_t req_type)
  {
  switch (req_type  BE_REQ_TYPE_MASK) {
  case BE_REQ_USER:
-return req_type  BE_REQ_FAST ?
-   FAST BE_REQ_USER : BE_REQ_USER;
+return be_req_to_str(req_type, BE_REQ_USER);
  case BE_REQ_GROUP:
  return req_type  BE_REQ_FAST ?
 FAST BE_REQ_GROUP : BE_REQ_GROUP;

The result of preprocessor is almost the same
and code look little bit simpler.

const char *be_req2str(dbus_uint32_t req_type)
{
 switch (req_type  0x00FF) {
 case 0x0001:
 return ((req_type)  0x1000) ? FAST  BE_REQ_USER : BE_REQ_USER;
 case 0x0002:
 return req_type  0x1000 ?
FAST BE_REQ_GROUP : BE_REQ_GROUP;
 case 0x0003:
 return req_type  0x1000 ?
FAST BE_REQ_INITGROUPS : BE_REQ_INITGROUPS;


Feel free to rename macro; it's just a POC version.

LS


Thanks.

There is improved patch attached.

Petr
From baf0f51e8444bb0862efe4347d245f0b01834cfc Mon Sep 17 00:00:00 2001
From: Petr Cech pc...@redhat.com
Date: Tue, 18 Aug 2015 06:59:31 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]

Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am |  6 +++-
 src/providers/data_provider.h   | 17 +--
 src/providers/data_provider_be.c|  3 +-
 src/providers/data_provider_req.c   | 58 +
 src/providers/data_provider_req.h   | 51 
 src/responder/common/responder_dp.c |  4 +--
 6 files changed, 119 insertions(+), 20 deletions(-)
 create mode 100644 src/providers/data_provider_req.c
 create mode 100644 src/providers/data_provider_req.h

diff --git a/Makefile.am b/Makefile.am
index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \
 src/monitor/monitor_iface_generated.c \
 src/monitor/monitor_iface_generated.h \
 src/providers/data_provider_iface_generated.c \
-src/providers/data_provider_iface_generated.h
+src/providers/data_provider_iface_generated.h \
+src/providers/data_provider_req.c
 
 SSSD_TOOLS_OBJ = \
 src/tools/sss_sync_ops.c \
@@ -583,6 +584,7 @@ dist_noinst_HEADERS = \
 src/confdb/confdb_private.h \
 src/confdb/confdb_setup.h \
 src/providers/data_provider.h \
+src/providers/data_provider_req.h \
 src/providers/dp_backend.h \
 src/providers/dp_dyndns.h \
 src/providers/dp_ptask_private.h \
@@ -1193,6 +1195,7 @@ endif
 
 sssd_be_SOURCES = \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
@@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \
 src/providers/simple/simple_access.c \
 src/providers/simple/simple_access_check.c \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -43,6 +43,7 @@
 #include sbus/sbus_client.h
 #include sss_client/sss_cli.h
 #include util/authtok.h
+#include providers/data_provider_req.h
 #include providers/data_provider_iface_generated.h
 
 #define DATA_PROVIDER_VERSION 0x0001
@@ -131,22 +132,6 @@
 #define BE_FILTER_CERT 6
 #define BE_FILTER_WILDCARD 7
 
-#define BE_REQ_USER  0x0001
-#define BE_REQ_GROUP 0x0002
-#define BE_REQ_INITGROUPS0x0003
-#define BE_REQ_NETGROUP  0x0004
-#define BE_REQ_SERVICES  0x0005
-#define BE_REQ_SUDO_FULL 0x0006
-#define BE_REQ_SUDO_RULES0x0007
-#define BE_REQ_AUTOFS0x0009
-#define BE_REQ_HOST  0x0010
-#define BE_REQ_BY_SECID  0x0011
-#define BE_REQ_USER_AND_GROUP 0x0012
-#define BE_REQ_BY_UUID   0x0013
-#define BE_REQ_BY_CERT   0x0014
-#define BE_REQ_TYPE_MASK 0x00FF
-#define BE_REQ_FAST  0x1000
-
 #define DP_SEC_ID

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 08/24/2015 03:45 PM, Pavel Reichl wrote:

On 07/24/2015 06:20 PM, Petr Cech wrote:

 From 2fcf13ef59f00b460afa77b27ef6cc2789b06393 Mon Sep 17 00:00:00 2001
From: Petr Cechpc...@redhat.com
Date: Fri, 24 Jul 2015 10:56:49 -0400
Subject: [PATCH] [HBAC]: Better libhbac debuging

s/debuging/debugging

Fixed.

Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
  src/providers/ipa/hbac_evaluator.c | 146 +
  src/providers/ipa/ipa_access.c |  45 
  src/providers/ipa/ipa_hbac.exports |   3 +-
  src/providers/ipa/ipa_hbac.h   |  23 ++
  4 files changed, 216 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/hbac_evaluator.c 
b/src/providers/ipa/hbac_evaluator.c
index 
f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..66d3512937702b5955f333c0c837807ee9e13deb
 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -24,6 +24,8 @@
  */
  
  #include stdlib.h

+#include stdio.h
+#include stdarg.h
  #include string.h
  #include errno.h
  #include providers/ipa/ipa_hbac.h
@@ -38,6 +40,41 @@ typedef int errno_t;
  #define EOK 0
  #endif
  
+/* HBAC logging system */

+
+/* static pointer to external logging function */
+static void (*hbac_debug_fn)(const char *file, int line, enum hbac_debug_level,
+ const char *format, ...) = NULL;
Do you think that introducing a new type using typedef for this type 
of callback would be more readable?

Yes, I do.
Fixed.

+
+/* setup function for external logging function */
+void hbac_enable_debug(void (*external_debug_fn)(const char *file, int line,
+   enum hbac_debug_level, const char *format, ...))
+{
+hbac_debug_fn = external_debug_fn;
+}
+
+/* debug macro */
+#define HBAC_DEBUG(level, format, ...) do { \
+if (hbac_debug_fn != NULL) { \
+hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \
+} \
+} while (0)
IMO macro should be defined after includes and before function 
definitions, but I haven't check if we are 100 % consistent about this 
in SSSD.

Fixed.

+
+/* auxiliary function for hbac_request_element logging */
+static void hbac_request_element_debug_print(struct hbac_request_element *el,
+const char *label);

bad indentation

Fixed.

+
+/* auxiliary function for hbac_eval_req logging */
+static void hbac_req_debug_print(struct hbac_eval_req *req);
+
+/* auxiliary function for hbac_rule_element logging */
+static void hbac_rule_element_debug_print(struct hbac_rule_element *el,
+  const char *label);
+
+/* auxiliary function for hbac_rule logging */
+static void hbac_rule_debug_print(struct hbac_rule *rule);
+
+
  /* Placeholder structure for future HBAC time-based
   * evaluation rules
   */
@@ -110,6 +147,9 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  struct hbac_eval_req *hbac_req,
  struct hbac_info **info)
  {
+HBAC_DEBUG(HBAC_DBG_INFO, [ hbac_evaluate());
+hbac_req_debug_print(hbac_req);
+
We generally do not add any code before variable definitions, I 
understand that logging is kinda special, but I would prefer to add it 
after the definitions, do you agree?

Fixed.

  enum hbac_error_code ret;
  enum hbac_eval_result result = HBAC_EVAL_DENY;
  enum hbac_eval_result_int intermediate_result;
@@ -117,6 +157,7 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  if (info) {
  *info = malloc(sizeof(struct hbac_info));
  if (!*info) {
+HBAC_DEBUG(HBAC_DBG_ERROR, Out of memory.);
  return HBAC_EVAL_OOM;
  }
  (*info)-code = HBAC_ERROR_UNKNOWN;
@@ -125,20 +166,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  uint32_t i;
  
  for (i = 0; rules[i]; i++) {

+hbac_rule_debug_print(rules[i]);
  intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, ret);
  if (intermediate_result == HBAC_EVAL_UNMATCHED) {
  /* This rule did not match at all. Skip it */
+HBAC_DEBUG(HBAC_DBG_INFO, DISALLOWED by rule [%s].,
+   rules[i]-name);
  continue;
  } else if (intermediate_result == HBAC_EVAL_MATCHED) {
  /* This request matched an ALLOW rule
   * Set the result to ALLOW but continue checking
   * the other rules in case a DENY rule trumps it.
   */
+HBAC_DEBUG(HBAC_DBG_INFO, ALLOWED by rule [%s]., rules[i]-name);
  result = HBAC_EVAL_ALLOW;
  if (info) {
  (*info)-code = HBAC_SUCCESS;
  (*info)-rule_name = strdup(rules[i]-name

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 08/27/2015 10:42 AM, Pavel Reichl wrote:

* SSSDBG_TRACE_ALL produces:

...hbac_evaluator.c:150] [< hbac_evaluate()
...hbac_evaluator.c:410]   REQUEST:
...hbac_evaluator.c:391] service [sshd]
...hbac_evaluator.c:400] service_group (none)
...hbac_evaluator.c:391] user [csikos]
...hbac_evaluator.c:395] user_group:

I think it could be useful to move user and might be user_group to less
verbose level - I think it could be hard to navigate in less verbose
logs otherwise, do you agree?

...hbac_evaluator.c:397]   [ipausers]
...hbac_evaluator.c:391] targethost [albireo.cygnus.dev]
...hbac_evaluator.c:400] targethost_group (none)
...hbac_evaluator.c:391] srchost [192.168.122.106]
...hbac_evaluator.c:400] srchost_group (none)
...hbac_evaluator.c:417] request time Fri Jul 24 14:29:36 2015
...hbac_evaluator.c:454]   RULE [szabo_allowed] [ENABLED]:
...hbac_evaluator.c:456] services:
...hbac_evaluator.c:427]   category [0] [NONE]
...hbac_evaluator.c:435]   services_names (none)
...hbac_evaluator.c:440]   services_groups:
...hbac_evaluator.c:442] [Sudo]
...hbac_evaluator.c:462] users:

It was commented in previous mail. I agree.


On 08/26/2015 09:44 AM, Petr Cech wrote:


0001-TESTS-Fixing-of-uninitialized-pointer.patch

Nice catch! Ci passed. ACK to this patch

Thanks.



0002-HBAC-Better-libhbac-debugging.patch


 From 75d97a5336e2b66d4bb187ce024ad9be9b2702b9 Mon Sep 17 00:00:00 2001
From: Petr Cech<pc...@redhat.com>
Date: Fri, 24 Jul 2015 10:56:49 -0400
Subject: [PATCH 2/2] HBAC: Better libhbac debugging

Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
  src/providers/ipa/hbac_evaluator.c | 149 +
  src/providers/ipa/ipa_access.c |  45 +++
  src/providers/ipa/ipa_hbac.exports |   3 +-
  src/providers/ipa/ipa_hbac.h   |  22 ++
  4 files changed, 218 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/hbac_evaluator.c 
b/src/providers/ipa/hbac_evaluator.c
index 
f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..976d5887baeecbb45d660c0de5ca54c914fc6367
 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -24,6 +24,8 @@
  */

  #include 
+#include 
+#include 

Are these header files really needed? What do we need from them? I'm
just asking as code seems to compile fine even without them.
Amazingly, it works. The reason were things like ## __ VA_ARGS__ in new 
HBAC_DEBUG macro.

  #include 
  #include 
  #include "providers/ipa/ipa_hbac.h" @@ -38,6 +40,39 @@ typedef int errno_t; 
#define EOK 0 #endif +/*
HBAC logging system */ + +/* debug macro */ +#define HBAC_DEBUG(level,
format, ...) do { \ + if (hbac_debug_fn != NULL) { \ +
hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \ + }
\ +} while (0) + +/* static pointer to external logging function */
+static hbac_debug_fn_t hbac_debug_fn = NULL; + +/* setup function for
external logging function */ +void hbac_enable_debug(hbac_debug_fn_t
external_debug_fn) +{ + hbac_debug_fn = external_debug_fn; +} + +/*
auxiliary function for hbac_request_element logging */ +static void
hbac_request_element_debug_print(struct hbac_request_element *el, +
const char *label); + +/* auxiliary function for hbac_eval_req logging
*/ +static void hbac_req_debug_print(struct hbac_eval_req *req); + +/*
auxiliary function for hbac_rule_element logging */ +static void
hbac_rule_element_debug_print(struct hbac_rule_element *el, + const
char *label); + +/* auxiliary function for hbac_rule logging */
+static void hbac_rule_debug_print(struct hbac_rule *rule); + + /*
Placeholder structure for future HBAC time-based * evaluation rules */
@@ -114,9 +149,13 @@ enum hbac_eval_result hbac_evaluate(struct
hbac_rule **rules, enum hbac_eval_result result = HBAC_EVAL_DENY; enum
hbac_eval_result_int intermediate_result; + HBAC_DEBUG(HBAC_DBG_INFO, "[< 
hbac_evaluate()");
+hbac_req_debug_print(hbac_req);
+
  if (info) {
  *info = malloc(sizeof(struct hbac_info));
  if (!*info) {
+HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.");
  return HBAC_EVAL_OOM;
  }
  (*info)->code = HBAC_ERROR_UNKNOWN;
@@ -125,20 +164,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  uint32_t i;

  for (i = 0; rules[i]; i++) {
+hbac_rule_debug_print(rules[i]);
  intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, );
  if (intermediate_result == HBAC_EVAL_UNMATCHED) {
  /* This rule did not match at all. Skip it */
+HBAC_DEBUG(HBAC_DBG_INFO, "DISALLOWED by rule [%s].",
+   rules[i]->name);
  continue;
  } else if (intermediate_re

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 08/31/2015 01:32 PM, Pavel Reichl wrote:

0x2000

(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x0100): 
[../src/providers/ipa/hbac_evaluator.c:152] [< hbac_evaluate()
(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:409]   REQUEST:
(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:390] service [sshd]
(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:399] service_group (none)
(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:390] user [csikos]

I think it would be useful to print this line

(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:394] user_group:
(Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:396]   [ipausers]

and this line even for debug_level 0x0100

But I don't insist. I won't delay patch for this.


I would like to do it, but it is not so easy. New HBAC logging system 
provides two new levels.


The first level goes throw all rules and it says if allows or disallows. 
The second writes all informations---about request, about each rules.


The simple solution is compromis. I could switch all request information 
from level 2 to level 1. So we could have those informations, see 
attachement.


Petr

(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:407]  REQUEST:
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:388]  service [sshd]
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:397]  service_group (none)
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:388]  user [csikos]
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:392]  user_group:
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:394]  [ipausers]
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:388]  targethost 
[albireo.cygnus.dev]
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:397]  targethost_group (none)
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:388]  srchost [192.168.122.106]
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:397]  srchost_group (none)
(Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): 
[../src/providers/ipa/hbac_evaluator.c:417]  request time 2015-08-31 
11:33:21

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Code style -- for loop iterative variables initial declaration

[Petr Cech]

On 08/31/2015 01:09 PM, Alexander Bokovoy wrote:

On Mon, 31 Aug 2015, Lukas Slebodnik wrote:

On (29/08/15 14:33), Alexander Bokovoy wrote:

On Fri, 28 Aug 2015, Petr Cech wrote:

Hi everyone,

I would like to ask you what you think about the initialization of
iterative variables in forloops. I know that present code style does
not
allow it. But how I recognized, we use C99, and this feature is here
now.

(example)
Instead of:|
|||# inti;
# for(i =0;...)|||
we could write:
||# for(inti =0;...)|

I see an advantage in limiting the validity of such variables. That
means
higher code readability. Disadvantages I searched but did not find.

What this misses is a use case of indexed searches where resulting index
value is used beyond the loop itself. By changing context of variable
declaration, you make variable inaccessible outside of the loop.


I would say it's exactly the purpose of this proposal.
To decrease scope of visibility so the index variable with short name
cannot be misused for different purpose.

Huh? There are valid cases where you search for an element and then use
it further in the code. The index is what you get as the result of the
search, not a reference to the element. Sometimes you need an element's
reference but in many cases you need an index.


Yes, I agree. There are different situations.


Reducing scope is fine if you understand the context but claiming
'misuse' is a bit too much here.


+1

I'd suggest adding this syntax recommendation to SSSD C coding style
guidelines but add as well a bit of explanation on these two types of
loop usage patterns.

+1

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command

[Petr Cech]

On 08/31/2015 09:51 PM, Jakub Hrozek wrote:

On Mon, Aug 31, 2015 at 06:33:52PM +0200, Jakub Hrozek wrote:

On Thu, Aug 27, 2015 at 12:19:18PM +0200, Lukas Slebodnik wrote:

ACK

LS


* master: 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a


This patch broke distcheck:

../src/util/sss_cli_cmd.c  -fPIC -DPIC -o src/util/.libs/sss_cli_cmd.o
../src/util/sss_cli_cmd.c:21:30: fatal error: util/sss_cli_cmd.h: No
such file or directory
  #include "util/sss_cli_cmd.h"
^

Please fix ASAP..
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel



I am sorry. There is a fix attached.

Petr
>From 93dbe494d14df22b6e33d100d40a3665a2990e56 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 1 Sep 2015 02:40:36 -0400
Subject: [PATCH] UTIL: Fixing Makefile.am for util/sss_cli_cmd.h

Last patch for ticket 2708 broke make distcheck. This is fix.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile.am b/Makefile.am
index d4504aba3cc233a8eae8c04d37c54208dad233c0..ac6221f3ca0b414bd4eeebfe4c66640e48b0da8b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -520,6 +520,7 @@ dist_noinst_HEADERS = \
 src/util/util_errors.h \
 src/util/safe-format-string.h \
 src/util/strtonum.h \
+src/util/sss_cli_cmd.h \
 src/util/sss_endian.h \
 src/util/sss_nss.h \
 src/util/sss_ldap.h \
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] Wiki pages updated

[Petr Cech]

Hi,

I just updated the wiki pages. I removed some duplicated
and outdated info. I hope that the pages are now clearer.

Petr

PS: If you need more info, see thread "[SSSD] [WIKI] Contribute and 
DevelTips are duplicate".

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate

[Petr Cech]

On 09/02/2015 05:47 PM, Jakub Hrozek wrote:

On Wed, Sep 02, 2015 at 05:18:24PM +0200, Michal Židek wrote:

On 08/17/2015 02:21 PM, Petr Cech wrote:

On 07/17/2015 01:26 PM, Petr Cech wrote:

Hi,

I have read the wiki pages. And I have the edited version. It would be
difficult to send the diff, so I started a new pages where you can
view the result.

Original pages:
[ 1] https://fedorahosted.org/sssd/wiki/Contribute
[ 2] https://fedorahosted.org/sssd/wiki/DevelTips
[ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials
[ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
[ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle
[ 6] https://fedorahosted.org/sssd/wiki/Repositories

Content of [3] has been divided between [1] and [3], content of [5]
has been divided between [1] and [4]. Then [3,5,6] will be deleted.

Test of new pages:
[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

Note that the links lead to the original pages.
At [7] you can find "COPR Repository" section, but I am not sure with
text here. Please look at it.
I did not pass the whole wiki. I think there might be a link from [8]
(perhaps [9]) on Troubleshooting.

I look forward to your comments, I need the opinions of another persons.

Petr


Hi,

a did some little edits according to talk with Jakub:
   * deleting Code Submission Process in Contribute
   * simplifying the structure of the headings in Contribute
   * adding link to tevent documentation in Devel tips
   * merging SSSD bug report
and we would like to move link to COPR repo to the homepage (and add
note about Ubuntu package, is it right?)

So new version (without homepage and link to Ubuntu repo) is on the same
place:
[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

Petr


Hi!

I think that Petr's changes to Wiki are improvement over the
current state. He removes a lot of duplicated and outdated
info. So if nobody objects I would like Petr to go ahead
and replace the current pages with the new ones.


Thank you very much for review, they looked good to me as well when we
discussed the changes in person last time.

Petr, please move the pages and then send a mail to the list about the
update, we can always change more stuff or even roll back.


I just updated the wiki pages. I will send another mail for it.

But in this thread, I would like to note, what is exactly done.

Original pages:
[ 1] https://fedorahosted.org/sssd/wiki/Contribute
[ 2] https://fedorahosted.org/sssd/wiki/DevelTips
[ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials
[ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
[ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle
[ 6] https://fedorahosted.org/sssd/wiki/Repositories

Content of [3] has been divided between [1] and [3], content of [5]
has been divided between [1] and [4]. Then [3,5,6] will be deleted.

Test of new pages:
[ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute
[ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips
[ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs

UPDATE:
[ 7] --> [ 1]
[ 8] --> [ 2]
[ 9] --> [ 4]
Pages [7,8,9] exist still, but we could remove it.
Pages [3,5,6] exist too, but I hope, no links target them. We could
remove it too.

I am sorry, but after this ticket I am blind on wiki. Could somebody 
check, that I did update properly? Thanks.


Petr




I have one comment: Does somebody know how to move the
table of contents to the left? Currently it is in the upper
right corner and I think (especially on bigger monitors)
it is really not easy to spot. The table is IMO very important
and gives good outline of what to expect from the page
so I would really like to have it on the left nice and
visible.


I only found http://trac.edgewall.org/wiki/PageOutline about the macro.



Also I like the idea of revisiting the wiki pages regularly
in order to further improve them and keep them up-to-date.
I think the overall navigation on our wiki has room for
improvement, but we do not need to do everything at once.



Hmm I guess I missed that how exactly are we going to update them
regularly? (I agree we should, I'm just interested in the mechanics)
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] Fix #2275 nested netgroups do not work in IPA provider

[Petr Cech]

Hi,

reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed 
the problem for me. So is the original commit no longer valid?


Regards,

Petr
>From 3a161789fc8ef82f4636e55369f4c5b04985f7c2 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 2 Sep 2015 11:51:12 -0400
Subject: [PATCH] Revert "netgroup: resolve hostgroup membership correctly"

This reverts commit 5e9bc89b28f1ac3ce573ecdece74fe9623580c28.

Ticket: https://fedorahosted.org/sssd/ticket/2275
---
 src/providers/ipa/ipa_netgroups.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index db29d29ee8f18d3d963402c4811bdef43bae63dc..8a68ae41311a95d7489868c7d21b739886cf4eea 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -715,7 +715,7 @@ static bool extract_entities(hash_entry_t *entry, void *pvt)
 state = talloc_get_type(pvt, struct extract_state);
 member = talloc_get_type(entry->value.ptr, struct sysdb_attrs);
 
-ret = sysdb_attrs_get_el(member, SYSDB_ORIG_MEMBEROF, );
+ret = sysdb_attrs_get_el(member, SYSDB_MEMBEROF, );
 if (ret != EOK) return false;
 
 ret = sysdb_attrs_get_el(member, SYSDB_NAME, _el);
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider

[Petr Cech]

On 09/04/2015 03:24 PM, Petr Cech wrote:

On 09/03/2015 03:45 PM, Sumit Bose wrote:

I tried both case. I used only originalMemberOf and I had right
hostgroups,
>no user groups. Then I used only memberOf and I had no hostgroups,
right
>user groups.
>
>So I did little hack, we could use both memberOf. The patch is
attached and
>it works for me.

Hi Petr,

thank you for the patch I haven't tested it yet. But I think I now
understand the issue better. Currently we store the originalMemberOf
attribute for users and hosts but not for POSIX/user groups (we do not
even read it from LDAP). So an alternative fix might be to add memberOf
attribute to the list of attribute read from LDAP for POSIX groups and
save the result in originalMemberOf in the cache. The using only
originalMemberOf should be sufficient for the netgroups lookup.

Would you mind to try this? For a test is shoult de sufficient to add a
line like

 { "ldap_group_member_of", "memberOf", SYSDB_MEMBEROF, NULL }

to all 'struct sdap_attr_map *_group_map[]' lists and a corresponding
entry to 'enum sdap_group_attrs'.

bye,
Sumit



Hello Sumit,

I tried your alternative way (thanks for it). Patch is attached.
I added some lines like:
#  { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }
and it works for me.

I hope that meaning of this patch is saving user/POSIX group memberOf
attribute to originalMemberOf attribute.

Regards,

Petr

And there is version with ticket number.



___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

>From 0207fbc11e56efea8796b88e8fa449f82c4628fe Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 4 Sep 2015 09:09:25 -0400
Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership

Informations about posix/user group membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
Netgroup membership process looks only into originalMemberOf.
This patch adds saving of posix/user group memberOf attribute to
originalMemberOf storage.

Resolves:
https://fedorahosted.org/sssd/ticket/2275
---
 src/providers/ad/ad_opts.h | 1 +
 src/providers/ipa/ipa_opts.h   | 1 +
 src/providers/ldap/ldap_opts.h | 3 +++
 src/providers/ldap/sdap.h  | 1 +
 4 files changed, 6 insertions(+)

diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 00586a7ada63ad4c89630e9589d3ff75d1726703..7917e8fc5e60ed27e7ed1248550d1e65d2d159d2 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -192,6 +192,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
 { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
 { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
 { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 78949e3ddec95f7f4303eab905bbbf6ec14ed6ae..9b5fdd138fbdf09f3d3662c011ea792f6272b7a6 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -180,6 +180,7 @@ struct sdap_attr_map ipa_user_map[] = {
 { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
 { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
 { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 9f58db5bd9eef1391e97c1890cbff94c2a5406d6..db7bc560f430331462470b2825f6319dbaaf9141 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -156,6 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
 { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
 { "ldap_us

Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider

[Petr Cech]

On 09/03/2015 03:45 PM, Sumit Bose wrote:

I tried both case. I used only originalMemberOf and I had right hostgroups,
>no user groups. Then I used only memberOf and I had no hostgroups, right
>user groups.
>
>So I did little hack, we could use both memberOf. The patch is attached and
>it works for me.

Hi Petr,

thank you for the patch I haven't tested it yet. But I think I now
understand the issue better. Currently we store the originalMemberOf
attribute for users and hosts but not for POSIX/user groups (we do not
even read it from LDAP). So an alternative fix might be to add memberOf
attribute to the list of attribute read from LDAP for POSIX groups and
save the result in originalMemberOf in the cache. The using only
originalMemberOf should be sufficient for the netgroups lookup.

Would you mind to try this? For a test is shoult de sufficient to add a
line like

 { "ldap_group_member_of", "memberOf", SYSDB_MEMBEROF, NULL }

to all 'struct sdap_attr_map *_group_map[]' lists and a corresponding
entry to 'enum sdap_group_attrs'.

bye,
Sumit



Hello Sumit,

I tried your alternative way (thanks for it). Patch is attached.
I added some lines like:
#  { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }
and it works for me.

I hope that meaning of this patch is saving user/POSIX group memberOf 
attribute to originalMemberOf attribute.


Regards,

Petr
>From a5b0e35de6a9cb6e9e1881deaae9fa55701aa33a Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 4 Sep 2015 09:09:25 -0400
Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership

Informations about posix/user group membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
Netgroup membership process looks only into originalMemberOf.
This patch adds saving of posix/user group memberOf attribute to
originalMemberOf storage.

Resolves:
https://fedorahosted.org/sssd/ticket/
---
 src/providers/ad/ad_opts.h | 1 +
 src/providers/ipa/ipa_opts.h   | 1 +
 src/providers/ldap/ldap_opts.h | 3 +++
 src/providers/ldap/sdap.h  | 1 +
 4 files changed, 6 insertions(+)

diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 00586a7ada63ad4c89630e9589d3ff75d1726703..7917e8fc5e60ed27e7ed1248550d1e65d2d159d2 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -192,6 +192,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
 { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
 { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
 { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 78949e3ddec95f7f4303eab905bbbf6ec14ed6ae..9b5fdd138fbdf09f3d3662c011ea792f6272b7a6 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -180,6 +180,7 @@ struct sdap_attr_map ipa_user_map[] = {
 { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
 { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
 { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 9f58db5bd9eef1391e97c1890cbff94c2a5406d6..db7bc560f430331462470b2825f6319dbaaf9141 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -156,6 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
 { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
 { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
 { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
+{ "ldap_user_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL },
 { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
 { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
 { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
@@ -212,6 +213,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
 { "ldap_user_principal", "krbPrincip

Re: [SSSD] [PATCH] UTIL: Alternative way for debug message initialisation

[Petr Cech]

On 09/08/2015 03:31 PM, Lukas Slebodnik wrote:

I would rather used option d) than option a). (Do not change anything)

Option b) does not require namespacing, because it is a local macro.
Option c) is the most readable, but there is a collision with gnu gettext.
So it cannot be used.

LS


Only my 2 cents:
Isn't compile time check really important feature?
Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider

[Petr Cech]

On 09/03/2015 08:18 AM, Jakub Hrozek wrote:

On Thu, Sep 03, 2015 at 06:15:24AM +0200, Lukas Slebodnik wrote:

On (02/09/15 18:06), Petr Cech wrote:

Hi,

reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the
problem for me. So is the original commit no longer valid?


I'm little bit worried about reverting this patch.
Did you test the bug which was fixed by this commit.
@see https://fedorahosted.org/sssd/ticket/1519

Thanks.

Tested. We need both patches (because user groups are in memberOf and 
host groups are in orig_memberOf).

Simple, I will do it.

Is it OK that freeIPA use two kind of memberOf?


The author of the patch could help, too :-)
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider

[Petr Cech]

On 09/03/2015 10:08 AM, Sumit Bose wrote:

On Thu, Sep 03, 2015 at 09:54:51AM +0200, Jakub Hrozek wrote:

On Thu, Sep 03, 2015 at 09:31:07AM +0200, Petr Cech wrote:

On 09/03/2015 08:18 AM, Jakub Hrozek wrote:

On Thu, Sep 03, 2015 at 06:15:24AM +0200, Lukas Slebodnik wrote:

On (02/09/15 18:06), Petr Cech wrote:

Hi,

reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the
problem for me. So is the original commit no longer valid?


I'm little bit worried about reverting this patch.
Did you test the bug which was fixed by this commit.
@see https://fedorahosted.org/sssd/ticket/1519

Thanks.

Tested. We need both patches (because user groups are in memberOf and host
groups are in orig_memberOf).
Simple, I will do it.

Is it OK that freeIPA use two kind of memberOf?


It does not. In FreeIPA LDAP there should only be memberOf (check it
out with openldap). What is happening is that we internally store IPA's
memberof value as originalMemberOf and our memberof points to cached
objects.


yes and since we (so far) only store POSIX groups (user groups) in the
SSSD cache memberOf will only point to user groups. But as Jakub said
originalMemberOf should contain all memberOf attributres from the
related IPA LDAP object. Hence I would expect that originalMemberOf will
have a complete list of memberships with both user and host groups.

bye,
Sumit
I tried both case. I used only originalMemberOf and I had right 
hostgroups, no user groups. Then I used only memberOf and I had no 
hostgroups, right user groups.


So I did little hack, we could use both memberOf. The patch is attached 
and it works for me.


Petr



___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

>From 7ee4be91c40210e6671bb66098936261550e4fef Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 2 Sep 2015 11:51:12 -0400
Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership

Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add both, memberOf and originalMemberOf, attributes
for searching in.

Ticket: https://fedorahosted.org/sssd/ticket/2275
---
 src/providers/ipa/ipa_netgroups.c | 30 ++
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index db29d29ee8f18d3d963402c4811bdef43bae63dc..07338a6ba94ccdfbe18dc359d8249bf6fd3d05d6 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -704,9 +704,9 @@ struct extract_state {
 int entries_count;
 };
 
-static bool extract_entities(hash_entry_t *entry, void *pvt)
+static bool extract_entity(hash_entry_t *entry, const char* attr, void *pvt)
 {
-int i, ret;
+int ret;
 struct extract_state *state;
 struct sysdb_attrs *member;
 struct ldb_message_element *el;
@@ -715,22 +715,25 @@ static bool extract_entities(hash_entry_t *entry, void *pvt)
 state = talloc_get_type(pvt, struct extract_state);
 member = talloc_get_type(entry->value.ptr, struct sysdb_attrs);
 
-ret = sysdb_attrs_get_el(member, SYSDB_ORIG_MEMBEROF, );
-if (ret != EOK) return false;
+ret = sysdb_attrs_get_el(member, attr, );
+if (ret != EOK) {
+return false;
+}
 
 ret = sysdb_attrs_get_el(member, SYSDB_NAME, _el);
 if (ret != EOK || name_el == NULL || name_el->num_values == 0) {
 return false;
 }
 
-for (i = 0; i < el->num_values; i++) {
-if (strcmp((char *)el->values[i].data, state->group) == 0) {
-
-state->entries = talloc_realloc(state, state->entries, const char *,
+for (int j = 0; j < el->num_values; j++) {
+if (strcmp((char *)el->values[j].data, state->group) == 0) {
+state->entries = talloc_realloc(state, state->entries,
+const char *,
 state->entries_count + 1);
 if (state->entries == NULL) {
 return false;
 }
+
 state->entries[state->entries_count] = (char *)name_el->values[0].data;
 state->entries_count++;
 break;
@@ -740,6 +743,17 @@ static bool extract_entities(hash_entry_t *entry, void *pvt)
 return true;
 }
 
+static bool extract_entities(hash_entry_t *entry, void *pvt)
+{
+bool ret1 = false;
+bool ret2 = false;
+
+ret1 = extract_entity(entry, SYSDB_ORIG_MEMBEROF, pvt);
+ret2 = extract_entity(entry, SYSDB_MEMBEROF, pvt);
+
+return ret1 || ret2;
+}
+
 static int extr

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 09/01/2015 11:00 AM, Pavel Reichl wrote:

 From 6b1c6cac7123e78a2c55c51019b66a6bcf97ec29 Mon Sep 17 00:00:00 2001
From: Petr Cech<pc...@redhat.com>
Date: Fri, 24 Jul 2015 10:56:49 -0400
Subject: [PATCH 2/2] HBAC: Better libhbac debugging

Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
  src/providers/ipa/hbac_evaluator.c | 152 +
  src/providers/ipa/ipa_access.c |  49 
  src/providers/ipa/ipa_hbac.exports |   3 +-
  src/providers/ipa/ipa_hbac.h   |  22 ++
  4 files changed, 225 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/hbac_evaluator.c 
b/src/providers/ipa/hbac_evaluator.c
index 
f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..6f236058a4a9711cf9bfba1db1447789bbb2d4b5
 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -38,6 +38,39 @@ typedef int errno_t;
  #define EOK 0
  #endif

+/* HBAC logging system */
+
+/* debug macro */
+#define HBAC_DEBUG(level, format, ...) do { \
+if (hbac_debug_fn != NULL) { \
+hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \
+} \
+} while (0)
+
+/* static pointer to external logging function */
+static hbac_debug_fn_t hbac_debug_fn = NULL;
+
+/* setup function for external logging function */
+void hbac_enable_debug(hbac_debug_fn_t external_debug_fn)
+{
+hbac_debug_fn = external_debug_fn;
+}
+
+/* auxiliary function for hbac_request_element logging */
+static void hbac_request_element_debug_print(struct hbac_request_element *el,
+ const char *label);
+
+/* auxiliary function for hbac_eval_req logging */
+static void hbac_req_debug_print(struct hbac_eval_req *req);
+
+/* auxiliary function for hbac_rule_element logging */
+static void hbac_rule_element_debug_print(struct hbac_rule_element *el,
+  const char *label);
+
+/* auxiliary function for hbac_rule logging */
+static void hbac_rule_debug_print(struct hbac_rule *rule);
+
+
  /* Placeholder structure for future HBAC time-based
   * evaluation rules
   */
@@ -114,9 +147,13 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  enum hbac_eval_result result = HBAC_EVAL_DENY;
  enum hbac_eval_result_int intermediate_result;

+HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n");
+hbac_req_debug_print(hbac_req);
+
  if (info) {
  *info = malloc(sizeof(struct hbac_info));
  if (!*info) {
+HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
  return HBAC_EVAL_OOM;
  }
  (*info)->code = HBAC_ERROR_UNKNOWN;
@@ -125,20 +162,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  uint32_t i;

I know that you haven't changed this code, but could you move the
definition of i into for cycle or to he beginning of the block?

Fixed.


  for (i = 0; rules[i]; i++) {
+hbac_rule_debug_print(rules[i]);
  intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, );
  if (intermediate_result == HBAC_EVAL_UNMATCHED) {
  /* This rule did not match at all. Skip it */
+HBAC_DEBUG(HBAC_DBG_INFO, "DISALLOWED by rule [%s].\n",
+   rules[i]->name);

I think this log message is wrong. Rule did not match - it was not
relevant for this user, host or service.  There are no deny rules. "The
rule [%s] did not match" is fine by me, do you agree?

Fixed.

  continue;
  } else if (intermediate_result == HBAC_EVAL_MATCHED) {
  /* This request matched an ALLOW rule
   * Set the result to ALLOW but continue checking
   * the other rules in case a DENY rule trumps it.
   */
+HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", 
rules[i]->name);
  result = HBAC_EVAL_ALLOW;
  if (info) {
  (*info)->code = HBAC_SUCCESS;
  (*info)->rule_name = strdup(rules[i]->name);
  if (!(*info)->rule_name) {
+HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n");
  result = HBAC_EVAL_ERROR;
  (*info)->code = HBAC_ERROR_OUT_OF_MEMORY;
  }
@@ -146,6 +188,9 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule 
**rules,
  break;
  } else {
  /* An error occurred processing this rule */
+HBAC_DEBUG(HBAC_DBG_ERROR,
+   "Error occurred during evaluating of rule [%s].\n",
+   rules[i]->name);
  result = HBAC_EVAL_ERROR;
  if (info) {
  

Re: [SSSD] [PATCH] sss_override: document --debug options

[Petr Cech]

On 08/25/2015 01:00 PM, Pavel Březina wrote:

https://fedorahosted.org/sssd/ticket/2758


Hi Pavel,
I have 3 formal comments to coding style.
Now I am running the tests. I will send you mail
with results soon.
Petr

0001-sss_override-document-debug-options.patch


 From f181b0a94863f082abaf074a0940e83fbf1c89b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?=pbrez...@redhat.com
Date: Tue, 25 Aug 2015 12:58:45 +0200
Subject: [PATCH] sss_override: document --debug options

Resolves:
https://fedorahosted.org/sssd/ticket/2758
---
  src/man/sss_override.8.xml   | 18 +-
  src/tools/common/sss_tools.c | 25 +
  2 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index 
d289f5b7dfa7fbd328831b4c71d45b4c555225cf..3db8cbe05322ddf662faaa4810cd3bf6b25f8883
 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -38,7 +38,7 @@
  all local overrides are lost.
  /para
  /refsect1
-
+


There are 4 trailing white spaces.

  refsect1 id='commands'
  titleAVAILABLE COMMANDS/title
  para
@@ -189,6 +189,22 @@
  /varlistentry
  /variablelist
  /refsect1
+


There are 4 trailing white spaces too.

+refsect1 id='options'
+titleCOMMON OPTIONS/title
+para
+Those options are available with all commands.
+/para
+variablelist remap='IP'
+varlistentry
+term
+option-d/option,option--debug/option
+replaceableLEVEL/replaceable
+/term
+xi:include xmlns:xi=http://www.w3.org/2001/XInclude;  
href=include/debug_levels.xml /
+/varlistentry
+/variablelist
+/refsect1
  
  xi:include xmlns:xi=http://www.w3.org/2001/XInclude;  href=include/seealso.xml /
  
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c

index 
6bbce3a25c0b23ebc108a917a38e94981b65..3e732a3411494262ea34a1e5c332e86f5128e771
 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -36,6 +36,13 @@ struct sss_cmdline {
  const char **argv;
  };
  
+static void sss_tool_print_common_opts(void)

+{
+fprintf(stderr, _(Common options:\n));
+fprintf(stderr,   -d, --debug=INT%s\n,
+_(Enable debug at level));

I'm not sure, but is it habbit to indent to '('?
I mean:

|| +fprintf(stderr,   -d, --debug=INT%s\n,
|| +_(Enable debug at level));


+}
+
  static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
   int *argc, const char **argv)
  {
@@ -201,6 +208,9 @@ int sss_tool_usage(const char *tool_name,
  fprintf(stderr, * %s\n, commands[i].command);
  }
  
+fprintf(stderr, _(\n));

+sss_tool_print_common_opts();
+
  return EXIT_FAILURE;
  }
  
@@ -237,6 +247,13 @@ int sss_tool_route(int argc, const char **argv,

  return sss_tool_usage(argv[0], commands);
  }
  
+static void sss_tool_popt_print_help(poptContext pc)

+{
+poptPrintHelp(pc, stderr, 0);
+fprintf(stderr, \n);
+sss_tool_print_common_opts();
+}
+
  int sss_tool_popt_ex(struct sss_cmdline *cmdline,
   struct poptOption *options,
   enum sss_tool_opt require_option,
@@ -286,7 +303,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline,
  } else {
  fprintf(stderr, _(Invalid option %s: %s\n\n),
  poptBadOption(pc, 0), poptStrerror(ret));
-poptPrintHelp(pc, stderr, 0);
+sss_tool_popt_print_help(pc);
  ret = EXIT_FAILURE;
  goto done;
  }
@@ -297,7 +314,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline,
  *_fopt = poptGetArg(pc);
  if (*_fopt == NULL) {
  fprintf(stderr, _(Missing option: %s\n\n), fopt_help);
-poptPrintHelp(pc, stderr, 0);
+sss_tool_popt_print_help(pc);
  ret = EXIT_FAILURE;
  goto done;
  }
@@ -305,7 +322,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline,
  /* No more arguments expected. If something follows it is an error. */
  if (poptGetArg(pc)) {
  fprintf(stderr, _(Only one free argument is expected!\n\n));
-poptPrintHelp(pc, stderr, 0);
+sss_tool_popt_print_help(pc);
  ret = EXIT_FAILURE;
  goto done;
  }
@@ -315,7 +332,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline,
  if (require_option == SSS_TOOL_OPT_REQUIRED
   ((_fopt != NULL  cmdline-argc  2) || cmdline-argc  1)) {
  fprintf(stderr, _(At least one option is required!\n\n));
-poptPrintHelp(pc, stderr, 0);
+sss_tool_popt_print_help(pc);
  ret = EXIT_FAILURE;
  goto done;
  }
-- 2.1.0

Re: [SSSD] [PATCH] sss_override: document --debug options

[Petr Cech]

On 08/25/2015 01:36 PM, Pavel Březina wrote:

+static void sss_tool_print_common_opts(void)
+{
+fprintf(stderr, _(Common options:\n));
+fprintf(stderr,   -d, --debug=INT%s\n,
+_(Enable debug at level));

I'm not sure, but is it habbit to indent to '('?
I mean:

|| +fprintf(stderr,   -d, --debug=INT%s\n,
|| +_(Enable debug at level));


I tend to indent to format specifier if possible, so format and data 
remains together.

OK.

I was install it, everything is right.
http://sssd-ci.duckdns.org/logs/job/23/76/summary.html

ACK

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message

[Petr Cech]

On 09/04/2015 04:32 PM, Pavel Reichl wrote:

On 08/28/2015 04:31 PM, Petr Cech wrote:

+  "Got request for [%#x][%s][%d][%s]\n", type, be_req2str(type),
+  attr_type, filter);


Petr do you think it could be useful to print attr_type as a string?


We talked about it offline. It seems to be only value type, nothing 
important.


But there is a new rebased patch, because development you cannot stop.

Petr


___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>From bb50f8cc4c50a68c0046e768b721e24d37752813 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 18 Aug 2015 06:59:31 -0400
Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message

Add be_req2str() for translation BE_REQ to string.
So we will have
|| Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian]
instead of
|| Got request for [0x1001][1][name=celestian]

Function be_req2str() is used in data provider and in responder too.
So this patch create new header file data_provider_req.h which
delivers function be_req2str() and definitions of BE_REQ_*.

Resolves:
https://fedorahosted.org/sssd/ticket/2708
---
 Makefile.am |  5 +++-
 src/providers/data_provider.h   | 17 +--
 src/providers/data_provider_be.c|  3 +-
 src/providers/data_provider_req.c   | 58 +
 src/providers/data_provider_req.h   | 51 
 src/responder/common/responder_dp.c |  4 +--
 6 files changed, 118 insertions(+), 20 deletions(-)
 create mode 100644 src/providers/data_provider_req.c
 create mode 100644 src/providers/data_provider_req.h

diff --git a/Makefile.am b/Makefile.am
index 851f943a4c57b70cee4f4f34e83457e7d204aff1..dc0670a5c720ab58a47e7da356578256b4659695 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -449,7 +449,8 @@ SSSD_RESPONDER_OBJ = \
 src/monitor/monitor_iface_generated.c \
 src/monitor/monitor_iface_generated.h \
 src/providers/data_provider_iface_generated.c \
-src/providers/data_provider_iface_generated.h
+src/providers/data_provider_iface_generated.h \
+src/providers/data_provider_req.c
 
 SSSD_TOOLS_OBJ = \
 src/tools/sss_sync_ops.c \
@@ -587,6 +588,7 @@ dist_noinst_HEADERS = \
 src/confdb/confdb_private.h \
 src/confdb/confdb_setup.h \
 src/providers/data_provider.h \
+src/providers/data_provider_req.h \
 src/providers/dp_backend.h \
 src/providers/dp_dyndns.h \
 src/providers/dp_ptask_private.h \
@@ -1201,6 +1203,7 @@ endif
 
 sssd_be_SOURCES = \
 src/providers/data_provider_be.c \
+src/providers/data_provider_req.c \
 src/providers/data_provider_fo.c \
 src/providers/data_provider_opts.c \
 src/providers/data_provider_callbacks.c \
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -43,6 +43,7 @@
 #include "sbus/sbus_client.h"
 #include "sss_client/sss_cli.h"
 #include "util/authtok.h"
+#include "providers/data_provider_req.h"
 #include "providers/data_provider_iface_generated.h"
 
 #define DATA_PROVIDER_VERSION 0x0001
@@ -131,22 +132,6 @@
 #define BE_FILTER_CERT 6
 #define BE_FILTER_WILDCARD 7
 
-#define BE_REQ_USER  0x0001
-#define BE_REQ_GROUP 0x0002
-#define BE_REQ_INITGROUPS0x0003
-#define BE_REQ_NETGROUP  0x0004
-#define BE_REQ_SERVICES  0x0005
-#define BE_REQ_SUDO_FULL 0x0006
-#define BE_REQ_SUDO_RULES0x0007
-#define BE_REQ_AUTOFS0x0009
-#define BE_REQ_HOST  0x0010
-#define BE_REQ_BY_SECID  0x0011
-#define BE_REQ_USER_AND_GROUP 0x0012
-#define BE_REQ_BY_UUID   0x0013
-#define BE_REQ_BY_CERT   0x0014
-#define BE_REQ_TYPE_MASK 0x00FF
-#define BE_REQ_FAST  0x1000
-
 #define DP_SEC_ID "secid"
 #define DP_CERT "cert"
 /* sizeof() counts the trailing \0 so we must substract 1 for the string
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index d147630248f0a24f5a632760b55b9284a6928e40..d71a69cb8e2997975828236998ec0b0e3f353f07 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -1104,7 +1104,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data)
 return EOK; /* handled */
 
 DEBUG(SSSDBG_FUNC_DATA,
-  "Got request for [%#x][%d][%s]\n", type, attr_type, filter);
+  "Got request for [%#x][%s][%d][%s]\n", type, be_req2str(type),
+  attr_type, filter);
 
 /* If we are offline and fast reply was requested
  * return offline immediately
diff --git a/src/providers/data_provider_req.c b/src/providers/data_provider_req.c

[SSSD] Review of umask() in SSSD

[Petr Cech]

Hi,

I am reviewing umask() in our code according to
https://fedorahosted.org/sssd/ticket/2424

There are many use like umask(DFL_RSP_UMASK):
src/responder/autofs/autofssrv.c:223
src/responder/ifp/ifpsrv.c:401
src/responder/nss/nsssrv.c:589
src/responder/pac/pacsrv.c:232
src/responder/pam/pamsrv.c:369
src/responder/ssh/sshsrv.c:209
src/responder/sudo/sudosrv.c:215
where DFL_RSP_UMASK is defined as 0177.

There are another three use of umask 0177:
src/confdb/confdb.c:662
src/util/debug.c:365
src/util/server.c:495

And then I see many use of umask 077:
src/p11_child/p11_child_nss.c:485
src/providers/krb5/krb5_child.c:723
src/tests/check_and_open-tests.c:51
src/tests/debug-tests.c:136
src/tests/debug-tests.c:276
src/tests/util-tests.c:596
src/util/domain_info_utils.c:312
src/util/domain_info_utils.c:562
src/tools/tools_util.c:503

I would like to ask you if we would like to use 0077 or 0177 as our very 
restrictive mask. I see that our code is not consistent on this 
question. I know the difference is small, but it is.


Then we have some unsecure use:
src/providers/ipa/selinux_child.c:154:   umask = 0
src/providers/krb5/krb5_ccache.c:188:umask = 
src/responder/nss/nsssrv_mmap_cache.c:1121:  umask = 0022
but I think there is reason for it.

And the last one is at src/responder/common/responder_common.c:561:
int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval)
We use it secure (0177) at:
src/responder/common/responder_common.c:693
src/responder/pam/pamsrv.c:399

And not so secure:
src/responder/common/responder_common.c:670  umask = 0111
src/responder/pam/pamsrv.c:391   umask = 0111
src/tests/cwrap/test_responder_common.c:173  umask = 0111
src/tests/cwrap/test_responder_common.c:179  umask = 

So, what could I do? Maybe we could have only one very secure umask and 
maybe we could have CONSTANT for every use of umask. Any another ideas?


Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on

[Petr Cech]

Hi,
patch for
https://fedorahosted.org/sssd/ticket/2493
is attached.
Petr
>From 1d87d8dd390c229ac603569a604d9cca656c3f1b Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Thu, 10 Sep 2015 10:05:59 -0400
Subject: [PATCH] DEBUG: Preventing chown_debug_file if journald on

There is function chown_debug_file() which didn't check
if the SSSD is compiled with journald support.

This patch add simple checking of this state.

Resolves:
https://fedorahosted.org/sssd/ticket/2493
---
 src/util/debug.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/util/debug.c b/src/util/debug.c
index 69df54386101973548108c3194a1bfd111f046f0..70d136dbfc996a4bcbd246861c55c6eba7a5b65b 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -316,6 +316,8 @@ int chown_debug_file(const char *filename,
 const char *log_file;
 errno_t ret;
 
+#ifndef WITH_JOURNALD
+
 if (filename == NULL) {
 log_file = debug_log_file;
 } else {
@@ -336,6 +338,8 @@ int chown_debug_file(const char *filename,
 return ret;
 }
 
+#endif /* WITH_JOURNALD */
+
 return EOK;
 }
 
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 09/11/2015 05:24 PM, Lukas Slebodnik wrote:

--- a/src/providers/ipa/ipa_hbac.exports
>+++ b/src/providers/ipa/ipa_hbac.exports
>@@ -1,4 +1,4 @@
>-IPA_HBAC_0.0.1 {
>+IPA_HBAC_0.0.2 {
>
> # public functions
> global:
>@@ -8,6 +8,7 @@ IPA_HBAC_0.0.1 {
> hbac_error_string;
> hbac_free_info;
> hbac_rule_is_complete;
>+hbac_enable_debug;

This change is not correct.
new functions should not be added to the the existing version
which was released.

You also forgot to update version-info for library.

@see more details about version script files in the thread which
introduced them to sssd
https://lists.fedorahosted.org/pipermail/sssd-devel/2014-July/019693.html

On Thu, Jun 26, 2014 at 10:31:27AM +0200, Lukas Slebodnik wrote:

>ehlo,
>
>attached patch fixes ticket #2194.
>
>If you wan to know more about version script (version maps) here are links:
>
>http://people.redhat.com/drepper/dsohowto.pdf
> (sections 2.2.5 .. 2.2.7, 3.4, 3.5)
>https://www.gnu.org/software/gnulib/manual/html_node/LD-Version-Scripts.html
>ftp://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_25.html


BTW all these links were provided off the lists few weeks ago.
and for symplification attached is a patch which shoudl be squashed
to your 2nd patch:-)


LS

Hello Lukas,
thanks for comment and for patch too. I attached fixed patch.
Petr



0001-squash_me.patch


 From 4246d5cd91c4c34b8524be5bfce38c57163a6e2b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik<lsleb...@redhat.com>
Date: Fri, 11 Sep 2015 17:04:58 +0200
Subject: [PATCH] squash_me

---
  Makefile.am| 2 +-
  src/providers/ipa/ipa_hbac.exports | 8 ++--
  2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 
851f943a4c57b70cee4f4f34e83457e7d204aff1..a2a868455f91fac212fcfa7b41681086145c06f9
 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -928,7 +928,7 @@ libipa_hbac_la_LIBADD = \
  $(UNICODE_LIBS)
  libipa_hbac_la_LDFLAGS = \
  -Wl,--version-script,$(srcdir)/src/providers/ipa/ipa_hbac.exports \
--version-info 0:1:0
+-version-info 1:0:1
Lukas, are you sure this version number 1:0:1? If you're really sure 
this number, I have not understood it properly.


  dist_noinst_DATA += src/providers/ipa/ipa_hbac.exports

diff --git a/src/providers/ipa/ipa_hbac.exports 
b/src/providers/ipa/ipa_hbac.exports
index 
63b6a5cd673d7b7f3096794648483d280a6bb47f..b7945e139b9ab81b7c1d68eb707acaaff7163a2e
 100644
--- a/src/providers/ipa/ipa_hbac.exports
+++ b/src/providers/ipa/ipa_hbac.exports
@@ -1,4 +1,4 @@
-IPA_HBAC_0.0.2 {
+IPA_HBAC_0.0.1 {

  # public functions
  global:
@@ -8,9 +8,13 @@ IPA_HBAC_0.0.2 {
  hbac_error_string;
  hbac_free_info;
  hbac_rule_is_complete;
-hbac_enable_debug;

  # everything else is local
  local:
  *;
  };
+
+IPA_HBAC_0.1.0 {
+global:
+hbac_evaluate;
+} IPA_HBAC_0.0.1;
--
>From 3b235cdc2c8d55dbaac9a78f82bef12576346b97 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 26 Aug 2015 02:50:26 -0400
Subject: [PATCH 1/2] TESTS: Fixing of uninitialized pointer.

There was a bug with uninitialized pointer during solving ticket 2703.

More details:
rules[0]->services->names[1] is initialized on line 361, but
initializing of rules[0]->srchosts->names[1] was missing.

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
 src/tests/ipa_hbac-tests.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c
index bd56c8f107b05f07b1ba8913fc14a03419d679f7..f2192a6fbc5188a7a7f6b204e03ca5961bb53f75 100644
--- a/src/tests/ipa_hbac-tests.c
+++ b/src/tests/ipa_hbac-tests.c
@@ -367,7 +367,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
 fail_if(rules[0]->services->names == NULL);
 
 rules[0]->srchosts->names[0] = (const char *) _utf8_upcase;
-rules[0]->services->names[1] = NULL;
+rules[0]->srchosts->names[1] = NULL;
 
 rules[1] = NULL;
 
-- 
2.4.3

>From 8964ab1d9647086c977ea25563ac552092f7159e Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 24 Jul 2015 10:56:49 -0400
Subject: [PATCH 2/2] HBAC: Better libhbac debugging

Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703
---
 Makefile.am|   2 +-
 src/providers/ipa/hbac_evaluator.c | 168 -
 src/providers/ipa/ipa_access.c |  50 +++
 src/providers/ipa/ipa_hbac.exports |   6 ++
 src/providers/ipa/ipa_hbac.h   |  22 +
 5 files changed, 245 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 851f943a4c57b70c

Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on

[Petr Cech]

On 09/11/2015 11:02 AM, Lukas Slebodnik wrote:

I do not understand how is the function chown_debug_file related to journald.
sssd can be compiled with journald support and in the same time can log to the
files. This is a default for fedora and rehl7.

If someone want to enable logging all messages to journald then it is required
manula change to the file /etc/systemd/system/sssd.service.d/journal.conf


LS


Right, thanks, it wasn't good way how to fix it. There is another fixing 
patch attached.


I used variable debug_file which inform us if we use logfiles.
And I hope that I can ignore variable debug_to_stderr.

Petr
>From 8cb0a4a6b59259e9096ae6f5926595b7b10d6b27 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Thu, 10 Sep 2015 10:05:59 -0400
Subject: [PATCH] DEBUG: Preventing chown_debug_file if journald on

There is function chown_debug_file() which didn't check
if the SSSD is compiled with journald support.

This patch add simple checking of this state.

Resolves:
https://fedorahosted.org/sssd/ticket/2493
---
 src/util/debug.c | 35 +++
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/src/util/debug.c b/src/util/debug.c
index 69df54386101973548108c3194a1bfd111f046f0..b6ab368db824bbd297dcb410c3e669d911ff0d33 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -316,24 +316,27 @@ int chown_debug_file(const char *filename,
 const char *log_file;
 errno_t ret;
 
-if (filename == NULL) {
-log_file = debug_log_file;
-} else {
-log_file = filename;
-}
+if (debug_file) {
 
-ret = asprintf(, "%s/%s.log", LOG_PATH, log_file);
-if (ret == -1) {
-return ENOMEM;
-}
+if (filename == NULL) {
+log_file = debug_log_file;
+} else {
+log_file = filename;
+}
 
-ret = chown(logpath, uid, gid);
-free(logpath);
-if (ret != 0) {
-ret = errno;
-DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n",
-  log_file, ret);
-return ret;
+ret = asprintf(, "%s/%s.log", LOG_PATH, log_file);
+if (ret == -1) {
+return ENOMEM;
+}
+
+ret = chown(logpath, uid, gid);
+free(logpath);
+if (ret != 0) {
+ret = errno;
+DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n",
+  log_file, ret);
+return ret;
+}
 }
 
 return EOK;
-- 
2.4.3

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] cache_req: support UPN

[Petr Cech]

On 09/14/2015 01:34 PM, Pavel Březina wrote:

On 09/14/2015 01:32 PM, Pavel Březina wrote:

0001:
Use extra flag also in OOB request.

0002:
Provide support for UPN. This add an improvement from NSS code, but I'm
not sure if it is desired or not.

If you have [domain/AD.PB] in sssd.conf and UPN "u...@ad.pb" then NSS
responder will not find this user, cache_req will. Is this nss behavior
intentional or a bug?

0003:
I got really sick of the way new test are written in cache_req when
writing new tests so I kinda rewrote it.


I think this completes the cache_req interface. If you find anything
missing, please let me no so I can add it.


Hi,

I compiled it.
CI tests over all 3 patches:
http://sssd-ci.duckdns.org/logs/job/26/73/summary.html

I was interested in the third patch, since it affects the tests, with 
which I have worked. This is something what I will inspect more detail.


I cannot say ack, because there is large logic.
I would like to ask someone more experienced
to take care of this review.

Petr

PS: I installed AD on my laptop and I try to set up
it correctly.

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 09/14/2015 03:25 PM, Jakub Hrozek wrote:

On Mon, Sep 14, 2015 at 02:15:39PM +0200, Petr Cech wrote:

 From 4246d5cd91c4c34b8524be5bfce38c57163a6e2b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik<lsleb...@redhat.com>
Date: Fri, 11 Sep 2015 17:04:58 +0200
Subject: [PATCH] squash_me

---
  Makefile.am| 2 +-
  src/providers/ipa/ipa_hbac.exports | 8 ++--
  2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 
851f943a4c57b70cee4f4f34e83457e7d204aff1..a2a868455f91fac212fcfa7b41681086145c06f9
 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -928,7 +928,7 @@ libipa_hbac_la_LIBADD = \
  $(UNICODE_LIBS)
  libipa_hbac_la_LDFLAGS = \
  -Wl,--version-script,$(srcdir)/src/providers/ipa/ipa_hbac.exports \
--version-info 0:1:0
+-version-info 1:0:1

Lukas, are you sure this version number 1:0:1? If you're really sure this
number, I have not understood it properly.


I have not read the patch at all, just adding a link about version info

[1]

 
https://www.gnu.org/software/libtool/manual/libtool.html#Updating-version-info

The trick to follow this guide is that it's really an algorithm, so you
shouldn't stop at the first change, but continue (potentially reverting
or overwriting previous changes)
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

I understand, how we changed -version-info (it is exactly by steps as 
described in [1]), but I don't understand clearly changes in .exports.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] [PATCH] cache_req: support UPN

[Petr Cech]

Hi Pavel!

There is some code between my last end and this continuation. I was read 
it and did't find anything wrong.


On 09/16/2015 04:26 PM, Petr Cech wrote:

0003-cache_req-tests-reduce-code-duplication.patch


  From e41f96a47f2b0f8d3e07e34af83e9a516d29df34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?=<pbrez...@redhat.com>
Date: Mon, 14 Sep 2015 11:06:45 +0200
Subject: [PATCH 3/3] cache_req tests: reduce code duplication

---
   src/tests/cmocka/test_responder_cache_req.c | 1624
+++
   1 file changed, 394 insertions(+), 1230 deletions(-)

diff --git a/src/tests/cmocka/test_responder_cache_req.c
b/src/tests/cmocka/test_responder_cache_req.c
index
7db87ccc816ea0e30e707ec8c2fa4666441892a8..2af481494319d0d01d29d0c243020c5adcb06d3a
100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -52,6 +52,27 @@
   test_multi_domain_setup, \
   test_multi_domain_teardown)

+#define run_cache_req(ctx, send_fn, done_fn, dom, crp, lookup, expret)
do { \
+TALLOC_CTX
*req_mem_ctx;\
+struct tevent_req
*req; \
+errno_t
ret;\
+
\
+req_mem_ctx =
talloc_new(global_talloc_context);\
+
check_leaks_push(req_mem_ctx);  \
+
\
+req = send_fn(req_mem_ctx, ctx->tctx->ev,
ctx->rctx,\
+  ctx->ncache, 10,
crp, \
+  (dom == NULL ? NULL : dom->name),
lookup);\
+
assert_non_null(req);   \
+tevent_req_set_callback(req, done_fn,
ctx); \
+
\
+ret =
test_ev_loop(ctx->tctx);  \
+assert_int_equal(ret,
expret);  \
+
assert_true(check_leaks_pop(req_mem_ctx));  \
+
\
+
talloc_free(req_mem_ctx);   \
+} while (0)

This definition should be a function. I found that you use it like
# return run_cache_req(...) but it doesn't provide value.


+
   struct cache_req_test_ctx {
   struct sss_test_ctx *tctx;
   struct resp_ctx *rctx;
@@ -80,46 +101,6 @@ struct cli_protocol_version
*register_cli_protocol_version(void)
   return version;
   }

-struct tevent_req *
-__wrap_sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
-   struct resp_ctx *rctx,
-   struct sss_domain_info *dom,
-   bool fast_reply,
-   enum sss_dp_acct_type type,
-   const char *opt_name,
-   uint32_t opt_id,
-   const char *extra)
-{
-struct sysdb_attrs *attrs = NULL;
-struct cache_req_test_ctx *ctx = NULL;
-errno_t ret;
-
-ctx = sss_mock_ptr_type(struct cache_req_test_ctx*);
-ctx->dp_called = true;
-
-if (ctx->create_user) {
-attrs = sysdb_new_attrs(ctx);
-assert_non_null(attrs);
-
-ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, TEST_UPN);
-assert_int_equal(ret, EOK);
-
-ret = sysdb_store_user(ctx->tctx->dom, TEST_USER_NAME, "pwd",
-   TEST_USER_ID, 1000, NULL, NULL, NULL,
-   "cn=test-user,dc=test", attrs, NULL,
-   1000, time(NULL));
-assert_int_equal(ret, EOK);
-}
-
-if (ctx->create_group) {
-ret = sysdb_store_group(ctx->tctx->dom, TEST_GROUP_NAME,
-TEST_GROUP_ID, NULL, 1000, time(NULL));
-assert_int_equal(ret, EOK);
-}
-
-return test_req_succeed_send(mem_ctx, rctx->ev);
-}
-
   static void cache_req_user_by_name_test_done(struct tevent_req *req)
   {
   struct cache_req_test_ctx *ctx = NULL;
@@ -176,6 +157,173 @@ static void cache_req_group_by_id_test_done(struct
tevent_req *req)
   ctx->tctx->done = true;
   }

+static void prepare_user(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ uint64_t timeout,
+ time_t time)
+{
+struct sysdb_attrs *attrs;
+errno_t ret;
+
+attrs = sysdb_new_attrs(mem_ctx);
+assert_non_null(attrs);
+
+ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, TEST_UPN);
+assert_int_equal(ret, EOK);
+
+ret = sysdb_store_user(domain, TEST_USER_NAME, "pwd",
+   TEST_USER_ID, TEST_GROUP_ID, NULL, NULL, NULL,
+   "cn=test-user,dc=test", attrs, NULL,
+

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 09/11/2015 01:47 PM, Jakub Hrozek wrote:

On Thu, Sep 10, 2015 at 12:27:17PM +0200, Petr Cech wrote:

Hi,

I am reviewing umask() in our code according to
https://fedorahosted.org/sssd/ticket/2424

There are many use like umask(DFL_RSP_UMASK):
src/responder/autofs/autofssrv.c:223
src/responder/ifp/ifpsrv.c:401
src/responder/nss/nsssrv.c:589
src/responder/pac/pacsrv.c:232
src/responder/pam/pamsrv.c:369
src/responder/ssh/sshsrv.c:209
src/responder/sudo/sudosrv.c:215
where DFL_RSP_UMASK is defined as 0177.

There are another three use of umask 0177:
src/confdb/confdb.c:662
src/util/debug.c:365
src/util/server.c:495

And then I see many use of umask 077:
src/p11_child/p11_child_nss.c:485
src/providers/krb5/krb5_child.c:723
src/tests/check_and_open-tests.c:51
src/tests/debug-tests.c:136
src/tests/debug-tests.c:276
src/tests/util-tests.c:596
src/util/domain_info_utils.c:312
src/util/domain_info_utils.c:562
src/tools/tools_util.c:503

I would like to ask you if we would like to use 0077 or 0177 as our very
restrictive mask. I see that our code is not consistent on this question. I
know the difference is small, but it is.


I guess 0177 should be used.



Then we have some unsecure use:
src/providers/ipa/selinux_child.c:154:   umask = 0
src/providers/krb5/krb5_ccache.c:188:umask = 
src/responder/nss/nsssrv_mmap_cache.c:1121:  umask = 0022
but I think there is reason for it.


Yes, it would be nice if there was always a comment explaining the
umask.



And the last one is at src/responder/common/responder_common.c:561:
int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval)
We use it secure (0177) at:
src/responder/common/responder_common.c:693
src/responder/pam/pamsrv.c:399


If this is in responder, would it make sense to just use DFL_RSP_UMASK ?


And not so secure:
src/responder/common/responder_common.c:670  umask = 0111


This one has a comment explaining why the umask it is the way it is, but
would it make sense to add a note about public/private sockets as well
(maybe not to the code but to the InternalsDocs) and #define a constant
for the public pipes?


src/responder/pam/pamsrv.c:391   umask = 0111
src/tests/cwrap/test_responder_common.c:173  umask = 0111
src/tests/cwrap/test_responder_common.c:179  umask = 

So, what could I do? Maybe we could have only one very secure umask and
maybe we could have CONSTANT for every use of umask. Any another ideas?


I like this idea, the constant could describe why we need this
particular umask better than the number also.



Regards

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


Thanks, Jakub, for comments. There is a patch attached.
Petr
>From 1da3d15cf5cfcd72742cb05be9a144ab40db7d29 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 15 Sep 2015 10:50:37 -0400
Subject: [PATCH] REFACTOR: Review of umask() function

We have many uses of umask() in our code. This patch substitute
values with constants and add comments at some cases.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
 src/confdb/confdb.c | 2 +-
 src/p11_child/p11_child_nss.c   | 2 +-
 src/providers/krb5/krb5_ccache.c| 1 +
 src/providers/krb5/krb5_child.c | 2 +-
 src/responder/common/responder_common.c | 3 ++-
 src/responder/pam/pamsrv.c  | 3 ++-
 src/tests/check_and_open-tests.c| 2 +-
 src/tests/debug-tests.c | 4 ++--
 src/tests/util-tests.c  | 2 +-
 src/util/debug.c| 2 +-
 src/util/domain_info_utils.c| 4 ++--
 src/util/server.c   | 2 +-
 src/util/util.h | 2 ++
 13 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 3a8a1c01b92e62302ac4f787ccd085be9d8f05c3..d71a50724d292bbea7d49e650062e11066c6ff77 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx,
 return EIO;
 }
 
-old_umask = umask(0177);
+old_umask = umask(SSS_VERY_RESTRICTIVE_UMASK);
 
 ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
 umask(old_umask);
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 44ba6678893408dbfc0c6c7cfd5edcdaa789f518..d999e7485f5f67792502400084dbd603f1558a8d 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -482,7 +482,7 @@ int main(int argc, const char *argv[])
 debug_level = SSSDBG_INVALID;
 
 clearenv();
-umask(077);
+umask(SSS_VERY_RESTRICTIVE_UMASK);
 
 pc = poptGetContext(argv[0], argc, argv, long_options, 0);
 while ((opt = poptG

Re: [SSSD] RFC: Improving the debug messages

[Petr Cech]

On 09/30/2015 11:15 AM, Jakub Hrozek wrote:

On Wed, Sep 30, 2015 at 09:53:24AM +0200, Sumit Bose wrote:

It's https://fedorahosted.org/sssd/ticket/2808 . Please add ideas and
suggestions how those tags shall look like.


Thanks, I ressurected
https://fedorahosted.org/sssd/ticket/1372 from Deferred as well.
___


This topic resonates with me. Text instead of hexadecimal numbers is 
better and it could make our logs more understandable.

And usage patterns are very nice guides for orientation in logs.

I would like to work on this ticket.

Petr
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

On 10/01/2015 01:19 PM, Jakub Hrozek wrote:

On Thu, Oct 01, 2015 at 12:38:49PM +0200, Petr Cech wrote:

Bump.



Thanks for reply, Jakub.


Why was 077 changed for 0177?
This change is something, which I think was discussed earlier in this 
thread.


# pcech:
# > I would like to ask you if we would like to use 0077 or 0177 as our very
# > restrictive mask. I see that our code is not consistent on this 
question. I

# > know the difference is small, but it is.
#
# jhrozek:
# I guess 0177 should be used.

I think that we work only with files, not with directories, I should
check it again.

So, if it is risky, I will changed it. :-)



About the name -- shouldn't we say just "SSS_DFL_UMASK" ? We are a
security project, therefore restrictive by default :-)
You're right, we are security project by default, so I changed the 
constant name.
>From 0f1946aecec78e7faaa3f5815ad06969b1234389 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Tue, 15 Sep 2015 10:50:37 -0400
Subject: [PATCH] REFACTOR: Review of umask() function

We have many uses of umask() in our code. This patch substitute
values with constants and add comments at some cases.

Resolves:
https://fedorahosted.org/sssd/ticket/2424
---
 src/confdb/confdb.c | 2 +-
 src/p11_child/p11_child_nss.c   | 2 +-
 src/providers/krb5/krb5_ccache.c| 1 +
 src/providers/krb5/krb5_child.c | 2 +-
 src/responder/common/responder_common.c | 3 ++-
 src/responder/pam/pamsrv.c  | 3 ++-
 src/tests/check_and_open-tests.c| 2 +-
 src/tests/debug-tests.c | 4 ++--
 src/tests/util-tests.c  | 2 +-
 src/util/debug.c| 2 +-
 src/util/domain_info_utils.c| 4 ++--
 src/util/server.c   | 2 +-
 src/util/util.h | 2 ++
 13 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d811f7cbf597db5c5ee5fa658c8864233da8f2e0..0f76a3d140ec832467c8382df088ac0e279207c0 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx,
 return EIO;
 }
 
-old_umask = umask(0177);
+old_umask = umask(SSS_DFL_UMASK);
 
 ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
 umask(old_umask);
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 44ba6678893408dbfc0c6c7cfd5edcdaa789f518..87bc376bcd2add74388504ba7e591592d2a818c7 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -482,7 +482,7 @@ int main(int argc, const char *argv[])
 debug_level = SSSDBG_INVALID;
 
 clearenv();
-umask(077);
+umask(SSS_DFL_UMASK);
 
 pc = poptGetContext(argv[0], argc, argv, long_options, 0);
 while ((opt = poptGetNextOpt(pc)) != -1) {
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index f9bb25efd4ca3257845c3b157667d21d24299f4a..5de596f341a53958f312d114c1f95c4728d9d5df 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -185,6 +185,7 @@ static errno_t create_ccache_dir(const char *ccdirname, uid_t uid, gid_t gid)
   "Creating directory [%s].\n", li->s);
 new_dir_mode = 0700;
 
+/* We need umask  because we will create directory. */
 old_umask = umask();
 ret = mkdir(li->s, new_dir_mode);
 umask(old_umask);
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 1edf10ab81d283c45e9c3343341ceaa524970e11..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds)
 #endif
 
 /* Set a restrictive umask, just in case we end up creating any file */
-umask(077);
+umask(SSS_DFL_UMASK);
 
 /* we create a new context here as the main process one may have been
  * opened as root and contain possibly references (even open handles ?)
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 2097004cb0fc24d8b356f9d924243f948227ef58..baaf0412b4a70537a2523a98ff33d8f34f194b47 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -690,7 +690,8 @@ static int set_unix_socket(struct resp_ctx *rctx)
 if (rctx->priv_sock_name != NULL ) {
 /* create privileged pipe */
 if (rctx->priv_lfd == -1) {
-ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, 0177);
+ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd,
+ DFL_RSP_UMASK);
 if (ret != EOK) {
 goto failed;
 }
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 3fe467c3cfc4c63b9

Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging

[Petr Cech]

On 09/18/2015 04:30 PM, Petr Cech wrote:

Hello,

there are fixed patches attached.


Bump.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] Review of umask() in SSSD

[Petr Cech]

Bump.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

[SSSD] [PATCH] TEST: recent_valid filter testing

[Petr Cech]

Hi,

there is WiP attached. I removed some tests like this one some time ago. 
They fail really often and we decided that the test logic was corrupted. 
Now I am trying get it back to the codebase.


There is some kind of cmocka magic around data provider. I think it 
creates test_user_1 during creation of filter.


In case of this type of tests, we need two users, one stored before 
filter request and one stored after filter request. There is a special 
type of filter which has time parameter which it search from. So the 
filter returns only one user.


If this concept is right, I will send whole patch.

Regards

Petr

PS: I applied my patch after 000*-cache_req_*. Those patches are on list.
>From aa0b0ab7c0a95ff47d5003907730c5432ff7bb85 Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Fri, 2 Oct 2015 07:34:08 -0400
Subject: [PATCH] TEST: recent_valid filter testing

Some tests were removed in past. This is only WiP, not regular patch.
I rewrote one of the removed test. Is it this right way?

We speak about RECENT filter. It returns only records which
have been wrote or updated after filter was created (or another given
time). Some notes are written in comments of this patch.

Resolves:
https://fedorahosted.org/sssd/ticket/2730
---
 src/tests/cmocka/test_responder_cache_req.c | 60 -
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index bb79fd10eefd7186f17a1f9306b57ddca2e3279f..c01d92fd9f3f078d853da1642e63cdbc3a1aed7b 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1239,6 +1239,58 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req)
 ctx->tctx->done = true;
 }
 
+/* NOTE better name is filter_recent_valid */
+void test_users_by_filter_valid(void **state)
+{
+struct cache_req_test_ctx *test_ctx = NULL;
+TALLOC_CTX *req_mem_ctx = NULL;
+struct tevent_req *req = NULL;
+const char *ldbname = NULL;
+errno_t ret;
+
+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+test_ctx->create_user = true;
+
+/* NOTE This user (#2) is stored before filter creation. */
+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001,
+   NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL,
+   NULL, 1000, time(NULL));
+assert_int_equal(ret, EOK);
+
+/* NOTE To make sure that the times of user/filter creation will vary.*/
+sleep(1);
+
+req_mem_ctx = talloc_new(global_talloc_context);
+check_leaks_push(req_mem_ctx);
+
+/* Filters always go to DP */
+will_return(__wrap_sss_dp_get_account_send, test_ctx);
+mock_account_recv_simple();
+
+/* NOTE During this call the TEST_USER_NAME (#1) will be stored. */
+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev,
+test_ctx->rctx,
+test_ctx->tctx->dom->name,
+"test*");
+assert_non_null(req);
+
+tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx);
+
+ret = test_ev_loop(test_ctx->tctx);
+assert_int_equal(ret, ERR_OK);
+assert_true(check_leaks_pop(req_mem_ctx));
+
+/* NOTE We receive only user #1, because #2 was stored before filter was created. */
+assert_non_null(test_ctx->result);
+assert_int_equal(test_ctx->result->count, 1);
+
+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0],
+  SYSDB_NAME, NULL);
+assert_non_null(ldbname);
+assert_string_equal(ldbname, TEST_USER_NAME);
+}
+
+
 void test_users_by_filter_filter_old(void **state)
 {
 struct cache_req_test_ctx *test_ctx = NULL;
@@ -1429,7 +1481,7 @@ int main(int argc, const char *argv[])
 };
 
 const struct CMUnitTest tests[] = {
-new_single_domain_test(user_by_name_cache_valid),
+/*new_single_domain_test(user_by_name_cache_valid),
 new_single_domain_test(user_by_name_cache_expired),
 new_single_domain_test(user_by_name_cache_midpoint),
 new_single_domain_test(user_by_name_ncache),
@@ -1475,13 +1527,17 @@ int main(int argc, const char *argv[])
 new_single_domain_test(group_by_id_missing_notfound),
 new_multi_domain_test(group_by_id_multiple_domains_found),
 new_multi_domain_test(group_by_id_multiple_domains_notfound),
+*/
+new_single_domain_test(users_by_filter_valid),
 
+/*
 new_single_domain_test(users_by_filter_filter_old),
 new_single_domain_test(users_by_filter_notfound),
 new_multi_domain_test(users_by_filter_multiple_domains_notfound),
 new_single_domain_test(g