Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate
On 07/17/2015 01:26 PM, Petr Cech wrote: Hi, I have read the wiki pages. And I have the edited version. It would be difficult to send the diff, so I started a new pages where you can view the result. Original pages: [ 1] https://fedorahosted.org/sssd/wiki/Contribute [ 2] https://fedorahosted.org/sssd/wiki/DevelTips [ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials [ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs [ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle [ 6] https://fedorahosted.org/sssd/wiki/Repositories Content of [3] has been divided between [1] and [3], content of [5] has been divided between [1] and [4]. Then [3,5,6] will be deleted. Test of new pages: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs Note that the links lead to the original pages. At [7] you can find COPR Repository section, but I am not sure with text here. Please look at it. I did not pass the whole wiki. I think there might be a link from [8] (perhaps [9]) on Troubleshooting. I look forward to your comments, I need the opinions of another persons. Petr Hi, a did some little edits according to talk with Jakub: * deleting Code Submission Process in Contribute * simplifying the structure of the headings in Contribute * adding link to tevent documentation in Devel tips * merging SSSD bug report and we would like to move link to COPR repo to the homepage (and add note about Ubuntu package, is it right?) So new version (without homepage and link to Ubuntu repo) is on the same place: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message
On 08/05/2015 11:23 AM, Jakub Hrozek wrote: B) While writing a patch Lukas noticed another similar logging messages [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][3][1][name=mof_user6] I investigated it. This is the same thing -- BE_REQ_*, but it is no longer in the provider, but in the responder. Can you please advise me where I could the function 'be_req2str' write? I think you should move it to separate file, as you don't want to share more code then necessary. There are 2 possibilities where to have this file a) in src/providers - responders already link with some modules from this folder, so I suppose it's viable Yes, this is a bit of hierarchy violation, but in the end we need to share the constants somehow. I think it's fine to keep the definite version in the providers/dp_* hierarchy, because that's where the interface is defined, the responder is a consumer. There is new patch attached. I think, that constants and const2str() functions should be in one place. I tried to suggest how we might share our constants. That's why I created a new header file in which we could move all the constants in the future. I am open to discussion. I look forward to your views. Petr From 511224743e8d8e788e9701f0fb3db418ca12b506 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Tue, 18 Aug 2015 06:59:31 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 5 +- src/providers/ad/ad_id.c | 1 + src/providers/data_provider.h | 16 --- src/providers/data_provider_be.c | 4 +- src/providers/data_provider_req.c | 68 +++ src/providers/data_provider_req.h | 51 src/providers/ipa/ipa_id.c| 1 + src/providers/ipa/ipa_s2n_exop.c | 1 + src/providers/ipa/ipa_subdomains_ext_groups.c | 1 + src/providers/ipa/ipa_subdomains_id.c | 1 + src/providers/ipa/ipa_views.c | 1 + src/providers/ldap/ldap_id.c | 1 + src/providers/ldap/sdap_refresh.c | 1 + src/providers/ldap/sdap_sudo.c| 1 + src/providers/proxy/proxy_id.c| 1 + src/providers/simple/simple_access_check.c| 1 + src/responder/autofs/autofssrv_dp.c | 1 + src/responder/common/responder_dp.c | 5 +- src/responder/ssh/sshsrv_dp.c | 1 + src/responder/sudo/sudosrv_dp.c | 1 + 20 files changed, 143 insertions(+), 20 deletions(-) create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h diff --git a/Makefile.am b/Makefile.am index ed107fd5dc76b768176a3d7236b0bf1c75f212bf..f71eb862ee935b2c6662678d7c20a12d2e62bf71 100644 --- a/Makefile.am +++ b/Makefile.am @@ -445,7 +445,8 @@ SSSD_RESPONDER_OBJ = \ src/monitor/monitor_iface_generated.c \ src/monitor/monitor_iface_generated.h \ src/providers/data_provider_iface_generated.c \ -src/providers/data_provider_iface_generated.h +src/providers/data_provider_iface_generated.h \ +src/providers/data_provider_req.c SSSD_TOOLS_OBJ = \ src/tools/sss_sync_ops.c \ @@ -1191,6 +1192,7 @@ endif sssd_be_SOURCES = \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ @@ -1643,6 +1645,7 @@ simple_access_tests_SOURCES = \ src/providers/simple/simple_access.c \ src/providers/simple/simple_access_check.c \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 7a0c6eccd2d2f0d4f8a545a9d4873a9447179a00..c0d8218d46d20f59ef53520dd0c6793ce553773c 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -21,6 +21,7 @@ */ #include util/util.h #include util/strtonum.h +#include providers/data_provider_req.h #include providers/ad/ad_common.h #include providers/ad/ad_id.h #include providers/ad/ad_domain_info.h diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 510c63ce41c99314ec8fcf11fffb2e66082e8951..fd4b6d3d7f66756aeb5b4dade3bfbb8953f5ddf1 100644 --- a/src/providers
Re: [SSSD] [PATCH] TESTS: Removing part of responder_cache_req-tests
On 08/21/2015 02:35 PM, Michal Židek wrote: Hi, some of the tests you deleted are valid and should not be deleted. Only those tests that rely on time(NULL) being the same as the time of request creation are invalid. All those that test old entries or nonexistent entries are OK. See comments inline. I agree. Those tests have another logic. So I returned them back. Petr From 63defe03797a8a9038e49400089a732bd35efaca Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Fri, 21 Aug 2015 16:44:37 +0200 Subject: [PATCH] TESTS: Removing part of responder_cache_req-tests If you call cache_req_[user|group]_by_filter_send() it than later calls updated_[users|groups]_by_filter(), which adds filter that is called recent. This filter causes that only [users|groups] added after the request started are returned. This patch removes tests which use cache_req_[user|group]_by_filter_send(), because the logic of those tests is corrupted. The tests create [users|groups] and after it, they call cache_req_[user|group]_by_filter_send(). So it is obvious that it is not in the right manner. Possible fix is rewrite the tests to create the entries in the callback. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 211 --- 1 files changed, 0 insertions(+), 211 deletions(-) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 032fe429ac88b8cc9113976329ea04837f287276..bc6e2dc8f86a8fa8dc322da10fff4883f075ec7d 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1710,54 +1710,6 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) ctx-tctx-done = true; } -void test_users_by_filter_valid(void **state) -{ -struct cache_req_test_ctx *test_ctx = NULL; -TALLOC_CTX *req_mem_ctx = NULL; -struct tevent_req *req = NULL; -const char *ldbname = NULL; -errno_t ret; - -test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -test_ctx-create_user = true; - -ret = sysdb_store_user(test_ctx-tctx-dom, TEST_USER_NAME2, pwd, 1001, 1001, - NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, NULL, - NULL, 1000, time(NULL)); -assert_int_equal(ret, EOK); - -req_mem_ctx = talloc_new(global_talloc_context); -check_leaks_push(req_mem_ctx); - -/* Filters always go to DP */ -will_return(__wrap_sss_dp_get_account_send, test_ctx); -mock_account_recv_simple(); - -req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx-tctx-ev, -test_ctx-rctx, -test_ctx-tctx-dom-name, -test*); -assert_non_null(req); -tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); - -ret = test_ev_loop(test_ctx-tctx); -assert_int_equal(ret, ERR_OK); -assert_true(check_leaks_pop(req_mem_ctx)); - -assert_non_null(test_ctx-result); -assert_int_equal(test_ctx-result-count, 2); - -ldbname = ldb_msg_find_attr_as_string(test_ctx-result-msgs[0], - SYSDB_NAME, NULL); -assert_non_null(ldbname); -assert_string_equal(ldbname, TEST_USER_NAME2); - -ldbname = ldb_msg_find_attr_as_string(test_ctx-result-msgs[1], - SYSDB_NAME, NULL); -assert_non_null(ldbname); -assert_string_equal(ldbname, TEST_USER_NAME); -} - void test_users_by_filter_filter_old(void **state) { struct cache_req_test_ctx *test_ctx = NULL; @@ -1831,63 +1783,6 @@ void test_users_by_filter_notfound(void **state) assert_true(check_leaks_pop(req_mem_ctx)); } -static void test_users_by_filter_multiple_domains_valid(void **state) -{ -struct cache_req_test_ctx *test_ctx = NULL; -struct sss_domain_info *domain = NULL; -TALLOC_CTX *req_mem_ctx = NULL; -struct tevent_req *req = NULL; -const char *ldbname = NULL; -errno_t ret; - -test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); - -domain = find_domain_by_name(test_ctx-tctx-dom, - responder_cache_req_test_d, true); -assert_non_null(domain); - -ret = sysdb_store_user(domain, TEST_USER_NAME, pwd, 1000, 1000, - NULL, NULL, NULL, cn=TEST_USER_NAME,dc=test, NULL, - NULL, 1000, time(NULL)); -assert_int_equal(ret, EOK); - -ret = sysdb_store_user(domain, TEST_USER_NAME2, pwd, 1001, 1001, - NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, NULL, - NULL, 1000, time(NULL)); -assert_int_equal(ret, EOK); - -req_mem_ctx = talloc_new(global_talloc_context); -check_leaks_push(req_mem_ctx); - -/* Filters always go to DP */ -will_return(__wrap_sss_dp_get_account_send
Re: [SSSD] [PATCH] sssd: incorrect checks on length values during packet, decoding
On 07/23/2015 02:44 PM, Michal Židek wrote: Hi, see the attached patch for ticket https://fedorahosted.org/sssd/ticket/1697 I think this is a candidate to include in our coding guidelines. I agree. It is a candidate. Thanks, Michal ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel I build it, tests are OK and CI is here: http://sssd-ci.duckdns.org/logs/commit/4f/9768ec28a6327f4c865d4e7a5c547681f9a8af/2370/summary.html (The failure is not connected to this patch.) ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD]Re: Re: [PATCH] DATA_PROVIDER: BE_REQ as string in log message
On 08/21/2015 01:08 PM, Pavel Reichl wrote: Hello Petr, make dict check fails: /workspace/ci/label/rhel7/ci-build-debug/sssd-1.13.1/_inst/share/locale\ -g3 -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c ../src/providers/ldap/ldap_id.c -fPIC -DPIC -o src/providers/ldap/.libs/libsss_ldap_common_la-ldap_id.o ../src/providers/ldap/ldap_id.c:33:41: fatal error: providers/data_provider_req.h: No such file or directory #include providers/data_provider_req.h you can fix this by something like: Makefile.am @@ -584,6 +584,7 @@ dist_noinst_HEADERS = \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ src/providers/data_provider.h \ +src/providers/data_provider_req.h \ I think that data_provider_req.h should be included in data_provider.h, you could save a lot of changes in source files that require both of them. Thanks. There is repaired patch attached. Petr From 7f154378f56a01ca65bfeba9985c605214d628b8 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Tue, 18 Aug 2015 06:59:31 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 6 +++- src/providers/data_provider.h | 17 +- src/providers/data_provider_be.c| 3 +- src/providers/data_provider_req.c | 68 + src/providers/data_provider_req.h | 51 src/responder/common/responder_dp.c | 4 +-- 6 files changed, 129 insertions(+), 20 deletions(-) create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h diff --git a/Makefile.am b/Makefile.am index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \ src/monitor/monitor_iface_generated.c \ src/monitor/monitor_iface_generated.h \ src/providers/data_provider_iface_generated.c \ -src/providers/data_provider_iface_generated.h +src/providers/data_provider_iface_generated.h \ +src/providers/data_provider_req.c SSSD_TOOLS_OBJ = \ src/tools/sss_sync_ops.c \ @@ -583,6 +584,7 @@ dist_noinst_HEADERS = \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ src/providers/data_provider.h \ +src/providers/data_provider_req.h \ src/providers/dp_backend.h \ src/providers/dp_dyndns.h \ src/providers/dp_ptask_private.h \ @@ -1193,6 +1195,7 @@ endif sssd_be_SOURCES = \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ @@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \ src/providers/simple/simple_access.c \ src/providers/simple/simple_access_check.c \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -43,6 +43,7 @@ #include sbus/sbus_client.h #include sss_client/sss_cli.h #include util/authtok.h +#include providers/data_provider_req.h #include providers/data_provider_iface_generated.h #define DATA_PROVIDER_VERSION 0x0001 @@ -131,22 +132,6 @@ #define BE_FILTER_CERT 6 #define BE_FILTER_WILDCARD 7 -#define BE_REQ_USER 0x0001 -#define BE_REQ_GROUP 0x0002 -#define BE_REQ_INITGROUPS0x0003 -#define BE_REQ_NETGROUP 0x0004 -#define BE_REQ_SERVICES 0x0005 -#define BE_REQ_SUDO_FULL 0x0006 -#define BE_REQ_SUDO_RULES0x0007 -#define BE_REQ_AUTOFS0x0009 -#define BE_REQ_HOST 0x0010 -#define BE_REQ_BY_SECID 0x0011 -#define BE_REQ_USER_AND_GROUP 0x0012 -#define BE_REQ_BY_UUID 0x0013 -#define BE_REQ_BY_CERT 0x0014 -#define BE_REQ_TYPE_MASK 0x00FF -#define BE_REQ_FAST 0x1000 - #define DP_SEC_ID secid #define DP_CERT cert /* sizeof() counts the trailing \0 so we must substract 1 for the string diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index d147630248f0a24f5a632760b55b9284a6928e40
Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message
On 08/21/2015 05:10 PM, Pavel Reichl wrote: Petr can you change data_provider_req.c to include providers/data_provider_req.h instead of providers/data_provider.h ? I originally thought that you will be able to include solely data_provider_req.h from responder_dp.c but I see that data_provider.h is required. But I still don't mind introducing data_provider_req.h. If you change this little nitpick I think I can ACK the patch. Pavel, you're right, that's mine main opinion to this issue. I am sorry, I need more focus and coffe. There is fixed (not repaired) patch. Petr From aebda5def026d7a0fc40c4034ef18ba97ada5f36 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Tue, 18 Aug 2015 06:59:31 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 6 +++- src/providers/data_provider.h | 17 +- src/providers/data_provider_be.c| 3 +- src/providers/data_provider_req.c | 68 + src/providers/data_provider_req.h | 51 src/responder/common/responder_dp.c | 4 +-- 6 files changed, 129 insertions(+), 20 deletions(-) create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h diff --git a/Makefile.am b/Makefile.am index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \ src/monitor/monitor_iface_generated.c \ src/monitor/monitor_iface_generated.h \ src/providers/data_provider_iface_generated.c \ -src/providers/data_provider_iface_generated.h +src/providers/data_provider_iface_generated.h \ +src/providers/data_provider_req.c SSSD_TOOLS_OBJ = \ src/tools/sss_sync_ops.c \ @@ -583,6 +584,7 @@ dist_noinst_HEADERS = \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ src/providers/data_provider.h \ +src/providers/data_provider_req.h \ src/providers/dp_backend.h \ src/providers/dp_dyndns.h \ src/providers/dp_ptask_private.h \ @@ -1193,6 +1195,7 @@ endif sssd_be_SOURCES = \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ @@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \ src/providers/simple/simple_access.c \ src/providers/simple/simple_access_check.c \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -43,6 +43,7 @@ #include sbus/sbus_client.h #include sss_client/sss_cli.h #include util/authtok.h +#include providers/data_provider_req.h #include providers/data_provider_iface_generated.h #define DATA_PROVIDER_VERSION 0x0001 @@ -131,22 +132,6 @@ #define BE_FILTER_CERT 6 #define BE_FILTER_WILDCARD 7 -#define BE_REQ_USER 0x0001 -#define BE_REQ_GROUP 0x0002 -#define BE_REQ_INITGROUPS0x0003 -#define BE_REQ_NETGROUP 0x0004 -#define BE_REQ_SERVICES 0x0005 -#define BE_REQ_SUDO_FULL 0x0006 -#define BE_REQ_SUDO_RULES0x0007 -#define BE_REQ_AUTOFS0x0009 -#define BE_REQ_HOST 0x0010 -#define BE_REQ_BY_SECID 0x0011 -#define BE_REQ_USER_AND_GROUP 0x0012 -#define BE_REQ_BY_UUID 0x0013 -#define BE_REQ_BY_CERT 0x0014 -#define BE_REQ_TYPE_MASK 0x00FF -#define BE_REQ_FAST 0x1000 - #define DP_SEC_ID secid #define DP_CERT cert /* sizeof() counts the trailing \0 so we must substract 1 for the string diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index d147630248f0a24f5a632760b55b9284a6928e40..d71a69cb8e2997975828236998ec0b0e3f353f07 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -1104,7 +1104,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data) return EOK; /* handled */ DEBUG(SSSDBG_FUNC_DATA, - Got request for [%#x][%d][%s]\n, type, attr_type, filter); + Got request for [%#x][%s][%d][%s]\n, type, be_req2str
[SSSD]Re: Re: [PATCH] TESTS: ldap_id_cleanup timeouts
On 08/21/2015 01:33 PM, Michal Židek wrote: On 08/20/2015 01:50 PM, Petr Cech wrote: On 08/19/2015 08:26 PM, Michal Židek wrote: Hi! This is another patch to avoid failing tests in the CI (make-check-valgrind). This time the ldap_id_cleanup tests. Looks like the one second cache timeout was too short and the tests sometimes failed because they expected the entries to be still valid for a short while after they were added to sysdb. I saw the failures only on Fedora 20 CI machine. See the attached patch. Michal Hi, I just run your patch on my F22 VM and I see some trouble here... see attachment. Petr PS: I used clean GIT and your patch, nothing else. I know that this problem is another then you solved. But it is still issue. I just saw 2 more fails in the CI because of the short cache timeout. The problem you see, as you said as well, is a different one and I agree it should be solved as well but so far we were able to reproduce it on your computer only and I did not see fails in the CI because of that problem. I would suggest pushing this patch (if you ACK it that is) to fix CI and look at the problem you found later. Michal OK, I agree. There is new ticket about the mentioned bug: https://fedorahosted.org/sssd/ticket/2768 And there are CI tests: http://sssd-ci.duckdns.org/logs/job/23/57/summary.html (The failing is not connected to this patch.) ACK Petr
Re: [SSSD] [PATCH] TESTS: ldap_id_cleanup timeouts
On 08/19/2015 08:26 PM, Michal Židek wrote: Hi! This is another patch to avoid failing tests in the CI (make-check-valgrind). This time the ldap_id_cleanup tests. Looks like the one second cache timeout was too short and the tests sometimes failed because they expected the entries to be still valid for a short while after they were added to sysdb. I saw the failures only on Fedora 20 CI machine. See the attached patch. Michal Hi, I just run your patch on my F22 VM and I see some trouble here... see attachment. Petr PS: I used clean GIT and your patch, nothing else. I know that this problem is another then you solved. But it is still issue. (Thu Aug 20 07:40:49:577840 2015) [sssd] [test_multidom_suite_cleanup] (0x0020): Could not delete the test config ldb file [20]: (Not a directory) (Thu Aug 20 07:40:49:577887 2015) [sssd] [test_multidom_suite_cleanup] (0x0020): Could not delete the test domain ldb file [20]: (Not a directory) (Thu Aug 20 07:40:49:577899 2015) [sssd] [test_multidom_suite_cleanup] (0x0020): Could not delete the test dir (20) (Not a directory) [==] Running 1 test(s). [ RUN ] test_id_cleanup_exp_group (Thu Aug 20 07:40:49:578773 2015) [sssd] [ldb] (0x0020): Unable to open tdb 'test_ldap_id_cleanup/tests_conf.ldb': Not a directory (Thu Aug 20 07:40:49:578786 2015) [sssd] [ldb] (0x0020): Failed to connect to 'test_ldap_id_cleanup/tests_conf.ldb' with backend 'tdb': Unable to open tdb 'test_ldap_id_cleanup/tests_conf.ldb': Not a directory (Thu Aug 20 07:40:49:578791 2015) [sssd] [confdb_init] (0x0010): Unable to open config database [test_ldap_id_cleanup/tests_conf.ldb] Could not run the test - check test fixtures [ ERROR ] test_id_cleanup_exp_group [==] 1 test(s) run. [ PASSED ] 0 test(s). FAIL test_ldap_id_cleanup (exit status: 1) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
On 08/13/2015 11:11 AM, Lukas Slebodnik wrote: From a93e36f11759cf9a748942e7632d4a07a088b098 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 8 Jul 2015 07:17:28 -0400 Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:(0x0400): Running command [17]... We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]... (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 The patch does not apply to master. I had to use tree way merge. Please rebase it. Rebased. --- Makefile.am | 3 +- src/providers/dp_pam_data_util.c | 27 + src/responder/nss/nsssrv_cmd.c | 30 ++--- src/sss_client/pam_sss.c | 6 +- src/tools/tools_mc_util.c| 4 +- src/util/sss_cli_cmd.c | 238 +++ src/util/sss_cli_cmd.h | 28 + 7 files changed, 293 insertions(+), 43 deletions(-) create mode 100644 src/util/sss_cli_cmd.c create mode 100644 src/util/sss_cli_cmd.h diff --git a/Makefile.am b/Makefile.am index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..430f2292a1be9e0f0b7cb56e8ecbf179e9978dcd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -678,7 +678,8 @@ endif pkglib_LTLIBRARIES += libsss_debug.la libsss_debug_la_SOURCES = \ src/util/debug.c \ -src/util/sss_log.c +src/util/sss_log.c \ +src/util/sss_cli_cmd.c We decided to add $NULL at the end of list so in future you will not need to change two lines if you add new file. $NULL added. libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 0129467302f16af3180a5be47ff2e235da65..d37a13820ef857fcf43efba3fb07535c4b6eb509 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1656,7 +1656,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, case SSS_PAM_CLOSE_SESSION: break; default: -D((Illegal task [%d], task)); +D((Illegal task [%#x],task)); ^ There was a space before change. Could you return it back. Returned. return PAM_SYSTEM_ERR; } diff --git a/src/util/sss_cli_cmd.c b/src/util/sss_cli_cmd.c new file mode 100644 index ..97b967b4014193dc8f7571e5fe821523d469f201 --- /dev/null +++ b/src/util/sss_cli_cmd.c @@ -0,0 +1,238 @@ +/* + SSSD - cmd2str util + + Copyright (C) Petr Cech pc...@redhat.com 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include sss_client/sss_cli.h +#include util/sss_cli_cmd.h +#include util/util.h + +const char *sss_cmd2str(enum sss_cli_command cmd) +{ //snip + +#if 0 +/* shadow */ +case SSS_NSS_GETSPNAM: +return SSS_NSS_GETSPNAM; +case SSS_NSS_GETSPUID: +return SSS_NSS_GETSPUID; +case SSS_NSS_SETSPENT: +return SSS_NSS_SETSPENT; +case SSS_NSS_GETSPENT: +return SSS_NSS_GETSPENT; +case SSS_NSS_ENDSPENT: +return SSS_NSS_ENDSPENT; +#endif I think it's better to be consistent with header file and we can have unused options here. But it's better to do not add spaces before '#' I saw a patter in some header files that spaces was added after this character. Something like #if defined __GNUC__ # if defined __NO_INLINE__ # define HAVE_INLINE 0 # else # define HAVE_INLINE 1 # ifndef inline # define inline __inline__ # endif # endif #elif defined __cplusplus Please remove indentation for #if and #endif in whole file. Removed. + +/* SUDO */ +case SSS_SUDO_GET_SUDORULES: +return SSS_SUDO_GET_SUDORULES; +case SSS_SUDO_GET_DEFAULTS: +return SSS_SUDO_GET_DEFAULTS; + //snip + +/* ID-SID mapping calls */ +case SSS_NSS_GETSIDBYNAME: +return SSS_NSS_GETSIDBYNAME; +case SSS_NSS_GETSIDBYID: +return SSS_NSS_GETSIDBYID; +case SSS_NSS_GETNAMEBYSID: +return SSS_NSS_GETNAMEBYSID; +case SSS_NSS_GETIDBYSID: +return SSS_NSS_GETIDBYSID; +case SSS_NSS_GETORIGBYNAME: +return SSS_NSS_GETORIGBYNAME; +default: +DEBUG
Re: [SSSD] [WIP] [TEST]: Observation patch
On 08/17/2015 08:52 AM, Lukas Slebodnik wrote: From c871c97862997df4e724647f1a0ce7297f2f059b Mon Sep 17 00:00:00 2001 From: Petr Cechpc...@redhat.com Date: Fri, 14 Aug 2015 13:17:22 +0200 Subject: [PATCH] TEST: Fix for responder_cache_req-tests Tests, that do not pass, have a problem with time. Time for writing records into database varied from time of creating a request, that is used for filtering records internally. The patch modifies the time of creation record (adds one second to now()), so it should not be different times there. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 18 -- 1 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 032fe429ac88b8cc9113976329ea04837f287276..4f77fe767e016496652a97c7a73fc9e29ba7faf0 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1721,9 +1721,10 @@ void test_users_by_filter_valid(void **state) test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); test_ctx-create_user = true; +/* set (time+1) to avoid failure request time filter */ ret = sysdb_store_user(test_ctx-tctx-dom, TEST_USER_NAME2, pwd, 1001, 1001, NULL, NULL, NULL, cn=TEST_USER_NAME2,dc=test, NULL, - NULL, 1000, time(NULL)); + NULL, 1000, time(NULL)+1); assert_int_equal(ret, EOK); Although, this patch fix intermitent failures there are few problems. The protopype of function sysdb_store_user is: /* this function does not check that all user members are actually present */ /* if one of the basic attributes is empty () as opposed to NULL, * this will just remove it */ int sysdb_store_user(struct sss_domain_info *domain, const char *name, const char *pwd, uid_t uid, gid_t gid, const char *gecos, const char *homedir, const char *shell, const char *orig_dn, struct sysdb_attrs *attrs, char **remove_attrs, uint64_t cache_timeout, time_t now); and if now is 0 then we will get the current time. 1912 /* get transaction timestamp */ 1913 if (!now) { 1914 now = time(NULL); 1915 } I do not understand why we shoudl set current time (now) to future time(NULL)+1. I didn't check it properly, but if now is used as transaction timestamp (according to comment) it should not be from futire. LS The initial value was time(now) and it could be simply 0, I agree with that. (I've tried time(now) - 0, but unfortunately it was not enough. The problem is elsewhere.) The problem is reading the data. There is a filter from a certain time, internally used time is set to time of creating request for reading data. But this request is creating after inserting data. Therefore, you can insert a timestamp data and timestamp of request creation vary, especially if the machine is busy. Completely correct solution (meaning clear) would be create a request to read data in the beginning of the test, then insert data and then try to read it. I tried this, I had complication with mock then. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] BUILD: Repair dependecies on deprecated libraries
Hi, this is a patch to https://fedorahosted.org/sssd/ticket/2733 This issue is caused by the change of packaging in libsystemd They said: We merged libsystemd-journal.so, libsystemd-id128.so, libsystemd-login and libsystemd-daemon into a a single libsystemd.so to reduce code duplication and avoid cyclic dependencies (see below). The new library exports the same symbols as the old libraries, however with a different symbol version. More is available here: http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html So, the solution is checking the version of systemd and deciding which library we can use. More details in patch. Thanks. Petr PS: Thanks to lslebodn :-) PPS: There are CI tests too http://sssd-ci.duckdns.org/logs/commit/bf/8f8703d47abf01d5f1a5f683c2fc1ee572350c/1965/summary.html From fcf895ad8df932403dfc554a34ff0d8ceac72785 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Mon, 27 Jul 2015 12:52:49 -0400 Subject: [PATCH] BUILD: Repair dependecies on deprecated libraries From systemd version 209 up, there are no modules -login and -journal. M4 macro can switch the libraries due to systemd version. Resolves: https://fedorahosted.org/sssd/ticket/2733 --- contrib/ci/deps.sh | 2 +- src/external/systemd.m4 | 24 +--- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh index 74401f8328cdcc6f80afa9f7408ef9e9ce890df7..22b7276ebdb8e3ba5e1e34334adbe310cbff8bad 100644 --- a/contrib/ci/deps.sh +++ b/contrib/ci/deps.sh @@ -92,7 +92,7 @@ if [[ $DISTRO_BRANCH == -debian-* ]]; then libselinux1-dev libsemanage1-dev libsmbclient-dev -libsystemd-journal-dev +libsystemd-dev libtalloc-dev libtdb-dev libtevent-dev diff --git a/src/external/systemd.m4 b/src/external/systemd.m4 index dbced0d66aa19e064f998648675a5a9c080eaab8..ddc79e465fd53618c5f90341a96461b92c8528b1 100644 --- a/src/external/systemd.m4 +++ b/src/external/systemd.m4 @@ -1,23 +1,33 @@ +dnl There are no module libsystemd-journal and libsystem-login +dnl up systemd version 209 +PKG_CHECK_EXISTS(systemd = 209, [HAVE_SYSTEMD_NEW=yes], [HAVE_SYSTEMD_NEW=no]) + dnl A macro to check presence of systemd on the system AC_DEFUN([AM_CHECK_SYSTEMD], [ PKG_CHECK_EXISTS(systemd, [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ], - [AC_MSG_ERROR([Could not detect systemd presence])] -) + [AC_MSG_ERROR([Could not detect systemd presence])]) ]) +AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, login_lib_name=libsystemd, + login_lib_name=libsystemd-login) + AM_COND_IF([HAVE_SYSTEMD], - [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login], -[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with libsystemdlogin support])], + [PKG_CHECK_MODULES([SYSTEMD_LOGIN], +[$login_lib_name], +[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, +[Build with libsystemdlogin support])], [AC_MSG_NOTICE([Build without libsystemd-login support])])]) dnl A macro to check presence of journald on the system AC_DEFUN([AM_CHECK_JOURNALD], [ - PKG_CHECK_MODULES(JOURNALD, - libsystemd-journal, - [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is available])]) +AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, journal_lib_name=libsystemd, + journal_lib_name=libsystemd-journal) + PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name], + [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, + [journald is available])]) dnl Some older versions of pkg-config might not set these automatically dnl while setting CFLAGS and LIBS manually twice doesn't hurt. AC_SUBST([JOURNALD_CFLAGS]) -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] BUILD: Repair dependecies on deprecated libraries
On 07/28/2015 01:34 PM, Lukas Slebodnik wrote: On (28/07/15 11:58), Petr Cech wrote: From fcf895ad8df932403dfc554a34ff0d8ceac72785 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Mon, 27 Jul 2015 12:52:49 -0400 Subject: [PATCH] BUILD: Repair dependecies on deprecated libraries From systemd version 209 up, there are no modules -login and -journal. M4 macro can switch the libraries due to systemd version. Resolves: https://fedorahosted.org/sssd/ticket/2733 --- contrib/ci/deps.sh | 2 +- src/external/systemd.m4 | 24 +--- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh index 74401f8328cdcc6f80afa9f7408ef9e9ce890df7..22b7276ebdb8e3ba5e1e34334adbe310cbff8bad 100644 --- a/contrib/ci/deps.sh +++ b/contrib/ci/deps.sh @@ -92,7 +92,7 @@ if [[ $DISTRO_BRANCH == -debian-* ]]; then libselinux1-dev libsemanage1-dev libsmbclient-dev -libsystemd-journal-dev +libsystemd-dev libtalloc-dev libtdb-dev libtevent-dev diff --git a/src/external/systemd.m4 b/src/external/systemd.m4 index dbced0d66aa19e064f998648675a5a9c080eaab8..ddc79e465fd53618c5f90341a96461b92c8528b1 100644 --- a/src/external/systemd.m4 +++ b/src/external/systemd.m4 @@ -1,23 +1,33 @@ +dnl There are no module libsystemd-journal and libsystem-login +dnl up systemd version 209 I think better comment would be to say that libsystemd-journal and libsystem-login ... are deprecated and libsystemd should be used instead of them. http://lists.freedesktop.org/archives/systemd-devel/2014-February/017146.html +PKG_CHECK_EXISTS(systemd = 209, [HAVE_SYSTEMD_NEW=yes], [HAVE_SYSTEMD_NEW=no]) + dnl A macro to check presence of systemd on the system AC_DEFUN([AM_CHECK_SYSTEMD], [ PKG_CHECK_EXISTS(systemd, [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ], - [AC_MSG_ERROR([Could not detect systemd presence])] -) + [AC_MSG_ERROR([Could not detect systemd presence])]) ]) +AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, login_lib_name=libsystemd, I know I recommended that name to you but development in systemd is quite rapid. So in future we might need another variable HAVE_SYSTEMD_NEWER. So it migth be better to test an availability of library libsystemd. It was introduced in systemd 209 and is not available on rhel 7.{0,1} Something like PKG_CHECK_EXISTS([libsystemd], [HAVE_LIBSYSTEMD=yes], [HAVE_LIBSYSTEMD=no]) instead of 1st line in file. + login_lib_name=libsystemd-login) + the square brackets are user on other places with macro AS_IF src/external/intgcheck.m4:AS_IF([test -n $PYTEST], [HAVE_PYTEST=yes], [HAVE_PYTEST=no]) src/external/ldap.m4:AS_IF([test -n $SLAPD], [HAVE_SLAPD=yes], [HAVE_SLAPD=no]) src/external/libcmocka.m4:AS_IF([test x$cmocka_required_headers != xno], src/external/libcmocka.m4- [PKG_CHECK_MODULES([CMOCKA], [cmocka], [have_cmocka=yes])] AM_COND_IF([HAVE_SYSTEMD], - [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login], -[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with libsystemdlogin support])], + [PKG_CHECK_MODULES([SYSTEMD_LOGIN], +[$login_lib_name], +[AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, +[Build with libsystemdlogin support])], [AC_MSG_NOTICE([Build without libsystemd-login support])])]) I would add at least 4 spaces here instead of 1. So it will be clear that the code belongs to PKG_CHECK_MODULES and not to the AM_COND_IF dnl A macro to check presence of journald on the system AC_DEFUN([AM_CHECK_JOURNALD], [ - PKG_CHECK_MODULES(JOURNALD, - libsystemd-journal, - [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is available])]) +AS_IF(test x$HAVE_SYSTEMD_NEW = xyes, journal_lib_name=libsystemd, + journal_lib_name=libsystemd-journal) We do not have the same indentation in autotools code. We do not have a rules or coding style. So its safe to use the same indentation as code around. + PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name], + [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, + [journald is available])]) dnl Some older versions of pkg-config might not set these automatically dnl while setting CFLAGS and LIBS manually twice doesn't hurt. AC_SUBST([JOURNALD_CFLAGS]) -- 2.4.3 LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel Thanks. There is a patch version 2. And CI: http://sssd-ci.duckdns.org/logs/commit/75
Re: [SSSD] [PATCH] SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
On 07/29/2015 08:51 PM, Jakub Hrozek wrote: On Wed, Jul 29, 2015 at 10:19:33AM +0200, Pavel Reichl wrote: Hello, please see trivial patch attached. While I was investigating case I found that to access value of 'ldap_purge_cache_timeout' option I need to use enum value SDAP_CACHE_PURGE_TIMEOUT. I consider this to be a bad name (swap of cache and purge) as I took me additional time to find this out. I think that proposed name is better. Unless somebody feels strongly against the patch I think it could be reviewed by our new colleague. Yes, I assigned the review to Petr. Thanks! ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel Hi, I went through the code, the replacement was done consistently everywhere. I built it successfully. CI tests: http://sssd-ci.duckdns.org/logs/commit/0e/84d48733ed84948e52d62e9f7ca6f40dd7366c/1995/summary.html (Failing is not relevant to the patch.) = ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SPEC: Update spec file for krb5_local_auth_plugin
On 07/24/2015 09:46 AM, Lukas Slebodnik wrote: ehlo, patch is attached. LS 0001-SPEC-Update-spec-file-for-krb5_local_auth_plugin.patch From 9474dfc64cbd73ab25bf12660f6b55e5563fe14c Mon Sep 17 00:00:00 2001 From: Lukas Slebodniklsleb...@redhat.com Date: Fri, 24 Jul 2015 09:24:31 +0200 Subject: [PATCH] SPEC: Update spec file for krb5_local_auth_plugin krb5_localauth_plugin could be build only with MIT kerberos = 1.12. However, this feature was backported in downstream to older version of kerberos. So there were packaging failures error: Installed (but unpackaged) file(s) found: /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so RPM build errors: Installed (but unpackaged) file(s) found: /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so Child returncode was: 1 EXCEPTION: Command failed. See logs for output. --- contrib/sssd.spec.in | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 15f7c582cba1b9052e180596625be7dd5749599f..cb3aab78616c6c8f9442fbf3d0944d4d140ff549 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,3 +1,4 @@ +%global rhel6_minor %(%{__grep} -o 6.[0-9]* /etc/redhat-release |%{__sed} -s 's/6.//') %global rhel7_minor %(%{__grep} -o 7.[0-9]* /etc/redhat-release |%{__sed} -s 's/7.//') %if 0%{?rhel} 0%{?rhel} = 6 @@ -41,7 +42,7 @@ %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin %endif -%if (0%{?fedora} = 21 || (0%{?rhel} == 7 0%{?rhel7_minor} = 1)) +%if (0%{?fedora} || (0%{?rhel} == 7 0%{?rhel7_minor} = 1) || (0%{?rhel} == 6 0%{?rhel6_minor} = 7)) %global with_krb5_localauth_plugin 1 %endif @@ -112,11 +113,7 @@ BuildRequires: pcre-devel BuildRequires: libxslt BuildRequires: libxml2 BuildRequires: docbook-style-xsl -%if (0%{?with_krb5_localauth_plugin} == 1) -BuildRequires: krb5-devel = 1.12 -%else BuildRequires: krb5-devel -%endif BuildRequires: c-ares-devel BuildRequires: python-devel %if (0%{?with_python3} == 1) -- 2.4.3 Hi, I looked at the patch and successfully built rpm on RHEL 6.6 and 6.7 (and on Fedora 22). Then I used CI, result is there http://sssd-ci.duckdns.org/logs/commit/7c/fbe0ff1743a1939c8066175f1634842c58de66/1977/summary.html It is look good for me. So -- if nobody has comments -- ACK. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] IFP: use default limit if provided is 0
On 08/13/2015 12:48 PM, Pavel Březina wrote: From eef083f774988fe8e6b6a5a8513a163fd7558b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=pbrez...@redhat.com Date: Thu, 13 Aug 2015 12:46:59 +0200 Subject: [PATCH] IFP: use default limit if provided is 0 Hi, CI: http://sssd-ci.duckdns.org/logs/job/21/49/summary.html I compiled it, ran it and it worked. ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
ping :-) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [WIP] [TEST]: Observation patch
Hi, I have explored in detail why the test responder_cache_req-tests failed so often. I created a new VM with RHEL 6.7. OBSERVATION: How we know, CI machines are under pressure, so I wrote simple cpu_braker, see [1]. I ran the tests 50 times with cpu_braker (average load 2.60, only 1 CPU). Results: [ RUN ] test_users_by_filter_multiple_domains_valid 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:1875: error: Failure! [ RUN ] test_users_by_filter_multiple_domains_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1879: error: Failure! [ RUN ] test_groups_by_filter_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1972: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:2051: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:2055: error: Failure! These errors say they failed to retrieve data from the cache. Tests inserts two test values into the cache at the beginning of their run, and then tries to pull it back. And sometime if they are under pressure, they fail. For a more detailed explanation, I added some printf(). I ran the test 25 times. The results: [ RUN ] test_users_by_filter_valid ... sysdb_store_user at [1439384336] (src/db/sysdb_ops.c:1882) ... cache_req_input_create at [1439384337] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439384337)] (src/responder/common/responder_cache_req.c:44) ... sysdb_store_user at [1439384337] (src/db/sysdb_ops.c:1882) ... recent_filter = [(lastUpdate=1439384337)] (src/responder/common/responder_cache_req.c:44) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1748: error: Failure! [ RUN ] test_users_by_filter_multiple_domains_valid ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882) ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882) ... cache_req_input_create at [1439384175] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439384175)] (src/responder/common/responder_cache_req.c:44) ... recent_filter = [(lastUpdate=1439384175)] (src/responder/common/responder_cache_req.c:44) 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:1874: error: Failure! [ RUN ] test_groups_by_filter_valid ... sysdb_store_group at [1439385276] (src/db/sysdb_ops.c:2042) ... cache_req_input_create at [1439385277] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439385277)] (src/responder/common/responder_cache_req.c:67) ... sysdb_store_group at [1439385277] (src/db/sysdb_ops.c:2042) ... recent_filter = [(lastUpdate=1439385277)] (src/responder/common/responder_cache_req.c:67) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1971: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid ... sysdb_store_group at [1439385286] (src/db/sysdb_ops.c:2042) ... sysdb_store_group at [1439385287] (src/db/sysdb_ops.c:2042) ... cache_req_input_create at [1439385287] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439385287)] (src/responder/common/responder_cache_req.c:67) ... recent_filter = [(lastUpdate=1439385287)] (src/responder/common/responder_cache_req.c:67) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:2054: error: Failure! As we can see, we have discovered a new failing test test_users_by_filter_valid. REPRODUCER: Use cpu_braker [1] and observation patch [2] and try some iterations... # for i in {1..50} ; do ./responder_cache_req-tests ; done SOLUTION? The problem is caused by trying to retrieve records from the cache, with the time filter set. A time filter we have set by the time of the request creation. However, we create the request in our tests after inserting records into the cache. Therefore, it may vary the data records time and the time filter. So, solution is create the request and then insert records or create request and set: # req.req_start = req.req_start - 1. Please, can you help me? For example see function: test_users_by_filter_multiple_domains_valid() in src/tests/cmocka/test_responder_cache_req.c:1834 Regards Petr ATTACHMENTS: [1] cpu_braker.c [2] 0001-TEST-Observation-patch.patch From b58608eaadca863b28b0cc80b0588fa536d508b8 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 12 Aug 2015 15:41:03 +0200 Subject: [PATCH] [TEST]: Observation patch This patch is part of reproducer, nothing more. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/db/sysdb_ops.c |6 ++ src/responder/common/responder_cache_req.c | 11 +++ 2 files changed
Re: [SSSD] [WIP] [TEST]: Observation patch
On 08/13/2015 07:49 AM, Lukas Slebodnik wrote: On (12/08/15 17:57), Petr Cech wrote: Hi, I have explored in detail why the test responder_cache_req-tests failed so often. I created a new VM with RHEL 6.7. OBSERVATION: How we know, CI machines are under pressure, so I wrote simple cpu_braker, see [1]. I ran the tests 50 times with cpu_braker (average load 2.60, only 1 CPU). Results: [ RUN ] test_users_by_filter_multiple_domains_valid 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:1875: error: Failure! [ RUN ] test_users_by_filter_multiple_domains_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1879: error: Failure! [ RUN ] test_groups_by_filter_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1972: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:2051: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:2055: error: Failure! These errors say they failed to retrieve data from the cache. Tests inserts two test values into the cache at the beginning of their run, and then tries to pull it back. And sometime if they are under pressure, they fail. For a more detailed explanation, I added some printf(). I ran the test 25 times. The results: [ RUN ] test_users_by_filter_valid ... sysdb_store_user at [1439384336] (src/db/sysdb_ops.c:1882) ... cache_req_input_create at [1439384337] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439384337)] (src/responder/common/responder_cache_req.c:44) ... sysdb_store_user at [1439384337] (src/db/sysdb_ops.c:1882) ... recent_filter = [(lastUpdate=1439384337)] (src/responder/common/responder_cache_req.c:44) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1748: error: Failure! [ RUN ] test_users_by_filter_multiple_domains_valid ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882) ... sysdb_store_user at [1439384174] (src/db/sysdb_ops.c:1882) ... cache_req_input_create at [1439384175] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439384175)] (src/responder/common/responder_cache_req.c:44) ... recent_filter = [(lastUpdate=1439384175)] (src/responder/common/responder_cache_req.c:44) 0x2 != 0 src/tests/cmocka/test_responder_cache_req.c:1874: error: Failure! [ RUN ] test_groups_by_filter_valid ... sysdb_store_group at [1439385276] (src/db/sysdb_ops.c:2042) ... cache_req_input_create at [1439385277] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439385277)] (src/responder/common/responder_cache_req.c:67) ... sysdb_store_group at [1439385277] (src/db/sysdb_ops.c:2042) ... recent_filter = [(lastUpdate=1439385277)] (src/responder/common/responder_cache_req.c:67) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:1971: error: Failure! [ RUN ] test_groups_by_filter_multiple_domains_valid ... sysdb_store_group at [1439385286] (src/db/sysdb_ops.c:2042) ... sysdb_store_group at [1439385287] (src/db/sysdb_ops.c:2042) ... cache_req_input_create at [1439385287] (src/responder/common/responder_cache_req.c:122) ... recent_filter = [(lastUpdate=1439385287)] (src/responder/common/responder_cache_req.c:67) ... recent_filter = [(lastUpdate=1439385287)] (src/responder/common/responder_cache_req.c:67) 0x1 != 0x2 src/tests/cmocka/test_responder_cache_req.c:2054: error: Failure! As we can see, we have discovered a new failing test test_users_by_filter_valid. REPRODUCER: Use cpu_braker [1] and observation patch [2] and try some iterations... # for i in {1..50} ; do ./responder_cache_req-tests ; done SOLUTION? The problem is caused by trying to retrieve records from the cache, with the time filter set. A time filter we have set by the time of the request creation. However, we create the request in our tests after inserting records into the cache. Therefore, it may vary the data records time and the time filter. So, solution is create the request and then insert records or create request and set: # req.req_start = req.req_start - 1. Please, can you help me? For example see function: test_users_by_filter_multiple_domains_valid() in src/tests/cmocka/test_responder_cache_req.c:1834 Regards Petr ATTACHMENTS: [1] cpu_braker.c [2] 0001-TEST-Observation-patch.patch From b58608eaadca863b28b0cc80b0588fa536d508b8 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 12 Aug 2015 15:41:03 +0200 Subject: [PATCH] [TEST]: Observation patch This patch is part of reproducer, nothing more. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/db/sysdb_ops.c |6 ++ src/responder/common
[SSSD] [PATCH] [HBAC]: Better libhbac debuging
) ...hbac_evaluator.c:474] srchosts: ...hbac_evaluator.c:427] category [0x1] [ALL] ...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed]. ...hbac_evaluator.c:454] RULE [Test_rule] [ENABLED]: ...hbac_evaluator.c:456] services: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] services_names: ...hbac_evaluator.c:432] [login] ...hbac_evaluator.c:432] [sshd] ...hbac_evaluator.c:432] [su] ...hbac_evaluator.c:445] services_groups (none) ...hbac_evaluator.c:462] users: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] users_names: ...hbac_evaluator.c:432] [csikos] ...hbac_evaluator.c:445] users_groups (none) ...hbac_evaluator.c:468] targethosts: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] targethosts_names: ...hbac_evaluator.c:432] [albireo.cygnus.dev] ...hbac_evaluator.c:445] targethosts_groups (none) ...hbac_evaluator.c:474] srchosts: ...hbac_evaluator.c:427] category [0x1] [ALL] ...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule]. ...hbac_evaluator.c:214] hbac_evaluate() ] ...hbac_evaluator.c:150] [ hbac_evaluate() ...hbac_evaluator.c:410] REQUEST: ...hbac_evaluator.c:391] service [sshd] ...hbac_evaluator.c:400] service_group (none) ...hbac_evaluator.c:391] user [szabo] ...hbac_evaluator.c:395] user_group: ...hbac_evaluator.c:397] [ipausers] ...hbac_evaluator.c:391] targethost [albireo.cygnus.dev] ...hbac_evaluator.c:400] targethost_group (none) ...hbac_evaluator.c:391] srchost [192.168.122.106] ...hbac_evaluator.c:400] srchost_group (none) ...hbac_evaluator.c:417] request time Fri Jul 24 14:29:46 2015 ...hbac_evaluator.c:454] RULE [szabo_allowed] [ENABLED]: ...hbac_evaluator.c:456] services: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:435] services_names (none) ...hbac_evaluator.c:440] services_groups: ...hbac_evaluator.c:442] [Sudo] ...hbac_evaluator.c:462] users: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] users_names: ...hbac_evaluator.c:432] [szabo] ...hbac_evaluator.c:445] users_groups (none) ...hbac_evaluator.c:468] targethosts: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] targethosts_names: ...hbac_evaluator.c:432] [albireo.cygnus.dev] ...hbac_evaluator.c:445] targethosts_groups (none) ...hbac_evaluator.c:474] srchosts: ...hbac_evaluator.c:427] category [0x1] [ALL] ...hbac_evaluator.c:173] DISALLOWED by rule [szabo_allowed]. ...hbac_evaluator.c:454] RULE [Test_rule] [ENABLED]: ...hbac_evaluator.c:456] services: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] services_names: ...hbac_evaluator.c:432] [login] ...hbac_evaluator.c:432] [sshd] ...hbac_evaluator.c:432] [su] ...hbac_evaluator.c:445] services_groups (none) ...hbac_evaluator.c:462] users: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] users_names: ...hbac_evaluator.c:432] [csikos] ...hbac_evaluator.c:445] users_groups (none) ...hbac_evaluator.c:468] targethosts: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:430] targethosts_names: ...hbac_evaluator.c:432] [albireo.cygnus.dev] ...hbac_evaluator.c:445] targethosts_groups (none) ...hbac_evaluator.c:474] srchosts: ...hbac_evaluator.c:427] category [0x1] [ALL] ...hbac_evaluator.c:173] DISALLOWED by rule [Test_rule]. ...hbac_evaluator.c:214] hbac_evaluate() ] Thanks. Petr From 2fcf13ef59f00b460afa77b27ef6cc2789b06393 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Fri, 24 Jul 2015 10:56:49 -0400 Subject: [PATCH] [HBAC]: Better libhbac debuging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/providers/ipa/hbac_evaluator.c | 146 + src/providers/ipa/ipa_access.c | 45 src/providers/ipa/ipa_hbac.exports | 3 +- src/providers/ipa/ipa_hbac.h | 23 ++ 4 files changed, 216 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..66d3512937702b5955f333c0c837807ee9e13deb 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -24,6 +24,8 @@ */ #include stdlib.h +#include stdio.h +#include stdarg.h #include string.h #include errno.h #include providers/ipa/ipa_hbac.h @@ -38,6 +40,41 @@ typedef int errno_t; #define EOK 0 #endif +/* HBAC logging system */ + +/* static pointer to external logging function
Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
On 07/13/2015 07:13 PM, Lukas Slebodnik wrote: On (13/07/15 10:57), Jakub Hrozek wrote: On Mon, Jul 13, 2015 at 09:47:46AM +0200, Lukas Slebodnik wrote: On (10/07/15 16:54), Jakub Hrozek wrote: On Wed, Jul 08, 2015 at 03:26:52PM +0200, Sumit Bose wrote: I would suggest that you put sss_cli_command_2string() in a file on its own similar like atomic_io.c or authtok-utils.c. And add this file to pam_sss_la_SOURCES and libsss_debug_la_SOURCES in Makefile.am. I leave it up to you to decide what would be a good place for this file. The sss_client directory because the enum sss_cli_command is defined here as well or the util directory because the main usage for it is in the SSSD code and not in the pam_sss module. This is really important, so much that I wonder if we should move all the files that are used by both client code and daemon code to some new directory in the SSSD tree (src/shared/ maybe) and use a different comment header in these files. We do not need to use sss_cmd2str in client code. If you wan to see debug messages from pam_sss module then you need to recompile source code with extra CFLAG to enable them. Good point. It very unlikely that debug messages in pam_sss code will used by users. I would prefer do not touch client code or used just hexadecimal represaentation (the same as in header file) I agree, let's not touch the client unless needed. Another reason for not using sss_cmd2str in client code is that it depends on our debug_fn from internal library libsss_debug. Even thought the function sss_cmd2str was not used in pam_sss.c it was still linked with pam_sss.so and thus dlopen test failed. Petr already noticed it; This mail is just summary of off the list discussion. LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel Hi, there is another repaired patch. Changes are: * hexadecimal numbers instead of cmd2str() in sss_client, * added license preamble in headers of new files. Andthere is a comment of Lukas Slebodnik for that I need more investigation. BTW It would be good to use new function also in backend code. src/providers/data_provider_be.c:1107: Got request for [%#x][%d][%s]\n, type, attr_type, filter); I used to filter debug messages for be_get_account_info which print type as hexadecimal number. Maybe there are also other places. LS Petr From a93e36f11759cf9a748942e7632d4a07a088b098 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 8 Jul 2015 07:17:28 -0400 Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:(0x0400): Running command [17]... We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]... (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 3 +- src/providers/dp_pam_data_util.c | 27 + src/responder/nss/nsssrv_cmd.c | 30 ++--- src/sss_client/pam_sss.c | 6 +- src/tools/tools_mc_util.c| 4 +- src/util/sss_cli_cmd.c | 238 +++ src/util/sss_cli_cmd.h | 28 + 7 files changed, 293 insertions(+), 43 deletions(-) create mode 100644 src/util/sss_cli_cmd.c create mode 100644 src/util/sss_cli_cmd.h diff --git a/Makefile.am b/Makefile.am index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..430f2292a1be9e0f0b7cb56e8ecbf179e9978dcd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -678,7 +678,8 @@ endif pkglib_LTLIBRARIES += libsss_debug.la libsss_debug_la_SOURCES = \ src/util/debug.c \ -src/util/sss_log.c +src/util/sss_log.c \ +src/util/sss_cli_cmd.c libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c index 8724bf936f3f46fb8393c8a3da57215a73b4191a..10e91f5f7286db5e76ad98b6c7519f2482d006db 100644 --- a/src/providers/dp_pam_data_util.c +++ b/src/providers/dp_pam_data_util.c @@ -23,33 +23,10 @@ */ #include providers/data_provider.h - +#include util/sss_cli_cmd.h #define PAM_SAFE_ITEM(item) item ? item : not set -static const char *pamcmd2str(int cmd) { -switch (cmd) { -case SSS_PAM_AUTHENTICATE: -return PAM_AUTHENTICATE; -case SSS_PAM_SETCRED: -return PAM_SETCRED; -case SSS_PAM_ACCT_MGMT: -return PAM_ACCT_MGMT; -case SSS_PAM_OPEN_SESSION: -return PAM_OPEN_SESSION; -case SSS_PAM_CLOSE_SESSION: -return PAM_CLOSE_SESSION; -case SSS_PAM_CHAUTHTOK: -return PAM_CHAUTHTOK; -case SSS_PAM_CHAUTHTOK_PRELIM: -return PAM_CHAUTHTOK_PRELIM; -case SSS_PAM_PREAUTH: -return SSS_PAM_PREAUTH; -default: -return UNKNOWN; -} -} - int pam_data_destructor(void *ptr) { struct pam_data *pd = talloc_get_type(ptr
[SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message
Hi, I investigated the situation around the log message, which mentioned Lukas. I prepared this patch. The result is that the original message [sssd[be[cygnus.dev]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=celestian] changed to [sssd[be[cygnus.dev]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] A) I would like to ask if mark 'FAST' is useful, or if I should remove it. B) While writing a patch Lukas noticed another similar logging messages [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][3][1][name=mof_user6] I investigated it. This is the same thing -- BE_REQ_*, but it is no longer in the provider, but in the responder. Can you please advise me where I could the function 'be_req2str' write? The first message is coming from src/providers/data_provider_be.c -- be_get_account_info, the second is from src/responder/common/responder_dp -- sss_dp_get_account_msg Thanks. Petr From 78ba1b38af081001eaefae180adc4a45e8c673d9 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 15 Jul 2015 02:26:29 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message NOTICE: This is only draft, not real commit! We could have Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of Got request for [0x1001][1][name=celestian] Resolves: https://fedorahosted.org/sssd/ticket/2708 --- src/providers/data_provider_be.c | 38 +- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index f5bdfb676011975defa4c5a734d420c8694f3bdd..1d59a0ab1b14f5db4319565edf646e01329f0168 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -80,6 +80,8 @@ static int be_autofs_handler(struct sbus_request *dbus_req, void *user_data); static int be_host_handler(struct sbus_request *dbus_req, void *user_data); static int be_get_subdomains(struct sbus_request *dbus_req, void *user_data); +const char* be_req2str(dbus_uint32_t req_type); + struct data_provider_iface be_methods = { { data_provider_iface_meta, 0 }, .RegisterService = client_registration, @@ -1104,7 +1106,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data) return EOK; /* handled */ DEBUG(SSSDBG_FUNC_DATA, - Got request for [%#x][%d][%s]\n, type, attr_type, filter); + Got request for [%#x][%s][%d][%s]\n, type, be_req2str(type), + attr_type, filter); /* If we are offline and fast reply was requested * return offline immediately @@ -2955,3 +2958,36 @@ static int data_provider_logrotate(struct sbus_request *dbus_req, void *data) return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); } + +const char* be_req2str(dbus_uint32_t req_type) +{ +switch (req_type BE_REQ_TYPE_MASK) { +case BE_REQ_USER: +return req_type BE_REQ_FAST ? FAST BE_REQ_USER : BE_REQ_USER; +case BE_REQ_GROUP: +return req_type BE_REQ_FAST ? FAST BE_REQ_GROUP : BE_REQ_GROUP; +case BE_REQ_INITGROUPS: +return req_type BE_REQ_FAST ? FAST BE_REQ_INITGROUPS : BE_REQ_INITGROUPS; +case BE_REQ_NETGROUP: +return req_type BE_REQ_FAST ? FAST BE_REQ_NETGROUP : BE_REQ_NETGROUP; +case BE_REQ_SERVICES: +return req_type BE_REQ_FAST ? FAST BE_REQ_SERVICES : BE_REQ_SERVICES; +case BE_REQ_SUDO_FULL: +return req_type BE_REQ_FAST ? FAST BE_REQ_SUDO_FULL : BE_REQ_SUDO_FULL; +case BE_REQ_SUDO_RULES: +return req_type BE_REQ_FAST ? FAST BE_REQ_SUDO_RULES : BE_REQ_SUDO_RULES; +case BE_REQ_AUTOFS: +return req_type BE_REQ_FAST ? FAST BE_REQ_AUTOFS : BE_REQ_AUTOFS; +case BE_REQ_HOST: +return req_type BE_REQ_FAST ? FAST BE_REQ_HOST : BE_REQ_HOST; +case BE_REQ_BY_SECID: +return req_type BE_REQ_FAST ? FAST BE_REQ_BY_SECID : BE_REQ_BY_SECID; +case BE_REQ_USER_AND_GROUP: +return req_type BE_REQ_FAST ? FAST BE_REQ_USER_AND_GROUP : BE_REQ_USER_AND_GROUP; +case BE_REQ_BY_UUID: +return req_type BE_REQ_FAST ? FAST BE_REQ_BY_UUID : BE_REQ_BY_UUID; +case BE_REQ_BY_CERT: +return req_type BE_REQ_FAST ? FAST BE_REQ_BY_CERT : BE_REQ_BY_CERT; +} +return UNKNOWN_REQ; +} -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate
On 07/13/2015 11:02 PM, Jakub Hrozek wrote: On Fri, Jul 10, 2015 at 10:38:09AM +0200, Petr Cech wrote: Hi, Hi, sorry about the vacation-induced delay. This is a very useful proposal, see inline for my comments. I've read the wiki according to # https://fedorahosted.org/sssd/ticket/2706 and I think that it could be helpful clean the page # https://fedorahosted.org/sssd/wiki/DevelTutorials from git topic and create new page for everything related to git. The motivation is, that: * Contribute briefly describe whole process on basic level, * DevelTips looks like How To, * DevelTutorials are more about technologies, libraries, build process..., * So there could be one page for everything about git. ~ I think there might be one (or two) page about our development process in, not neccesarrily git. As a general comment, my aim when I filed this ticket was to make our wiki more maintanable. We have too many tasks on our hands already, so we should make sure all the info on our wiki is up-to-date and if possible, we have a documented way to update them (maybe in the release process...perhaps we could say that with every .0 version we update a selected list of pages?) NOTES how we could edit wiki: https://fedorahosted.org/sssd/wiki/Contribute Contribute Contribution Policy Source Code Repository /* * There could be only a link to the repo and * reference to New Git page. The new git page is actually my main concern, see below. */ Tips and tricks for developers QA, Development and Bug Triage Hmm, I see another duplication, we have both https://fedorahosted.org/sssd/wiki/BugLifecycle and: https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs (the latter being my fault) Can you also take a look at these two with your fresh eyes and consider merging them? Development Repositories We should add a note to this section linking to Lukas' COPR repo. I was even considering adding a link to this repo to both the Releases page and even maybe the front page -- opinions are welcome here! Localization and Internationalization This section needs fixing, we don't use transifex anymore but Zanata. See the ReleaseProcess page for some more details: https://fedorahosted.org/sssd/wiki/ReleaseProcess I think a link to Zanata would be enough here. But at the same time, I would prefer this section to stay. Design Pages I think this whole section needs to go. We're adding several new design pages each release so it's not realistic to maintain this page. In order to track a design, I think the ultimate source is the ticket. If we want to maintain a section listing open/closed/postponed designs, then I would prefer to generate them from Trac ticket status. But IMO it's better to not have this info at all rather than have outdated info... Credits To be honest, I don't think this section and the page it links to: https://fedorahosted.org/sssd/wiki/WhoAreWe is useful and I would vote to remove it. Please note I'm not diminishing the contributions especially for non-Red Hat people, but I also think that since we don't really maintain the page, it would be better to remove it. The development team info is outdated at least since 2012.. Latest Documentation and Presentations I think the documentation is very valuable and needs to stay. Maybe we could add a sentence saying something like There is a dedicated page where we keep our documentation. https://fedorahosted.org/sssd/wiki/DevelTips This page is rather short, what do you say we merge it with Contribute page? SSSD Devel page Are there any introductory tutorials available? /* + Reference to the new Git page */ When I debug an SSSD process in a debugger, it always gets killed with … Using valgrind to identify memory access problems Using strace to track the SSSD processes How do I track work-in-progress of other developers? /* * Is it * still valid? * * I tried link * for jhrozek and * his sssd.git * and the url * doesn't exist. */ Hmm, which link did you try? I keep my work here these days: https://fedorapeople.org/cgit/jhrozek/public_git/sssd.git or as a git fetch URL: git://fedorapeople.org/home/fedora/jhrozek/public_git/sssd.git Why does make check take so long? Using clang to perform static analysis of source code When I compile the SSSD from source there is an error that says … https://fedorahosted.org/sssd/wiki/DevelTutorials /* * Label @new-git-page means * that I would like move given paragraph
Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on
On 10/05/2015 10:21 AM, Jakub Hrozek wrote: On Fri, Sep 25, 2015 at 02:05:14PM +0200, Petr Cech wrote: ping I can't start sssd as a service with this patch applied after switching from root to non-root: 1) add user=sssd to the [sssd] section 2) chown root.root /var/log/sssd/*.log 3) systemctl start sssd I must admit I no longer remember what the irritating messages the ticket talks about were. Was is that the file is not there if only journald support is used? Would it make more sense to ignore ENOENT errors in that case (or even always) ? Hi Jakub, ticket says "chown_debug_file() is called unconditionally and it does not make any check if debug to files is active or not. This might cause irritating error messages e.g. when journald is used." I must admit I didn't check my patch currently. But I tried to reproduce your problem with starting SSSD after switching root to non-root user. I think I catch the problem. I tried it (switch the user) without my patch applied---and the result was the same, it couldn't start. Problem is in step number 2, you wrote root instead of sssd. I tried full installation now (make, create rpm, install from rpm) and it is possible to run SSSD without and with my patch applied. Maybe this could help to find short way like in step 2: [root@albireo sssd]# ll /var/lib/ drwxr-xr-x. 8 root root80 Oct 21 10:15 sss [root@albireo sssd]# ll /var/lib/sss drwx--. 2 sssd sssd 4096 Oct 21 10:25 db drwxr-xr-x. 2 sssd sssd6 Oct 21 10:15 gpo_cache drwx--. 2 sssd sssd6 Oct 21 10:15 keytabs drwxr-xr-x. 2 sssd sssd 48 Oct 21 10:25 mc drwxr-xr-x. 3 sssd sssd 40 Oct 21 10:25 pipes drwxr-xr-x. 3 sssd sssd 27 Oct 21 10:25 pubconf [root@albireo sssd]# ll /var/log drwxr-x---. 2 sssd sssd4096 Oct 21 10:15 sssd Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on
How to reproduce: Sumit wrote explanation to ticket comment. Better is if .log files missing. And you need run SSSD logging only to journal. Lukas wrote in soe mail above in thread, how to enable it. Thanks to all. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on
On 10/23/2015 02:18 PM, Petr Cech wrote: How to reproduce: Sumit wrote explanation to ticket comment. Better is if .log files missing. And you need run SSSD logging only to journal. Lukas wrote in soe mail above in thread, how to enable it. Thanks to all. Petr # sudo bash # systemctl stop sssd # vim /etc/systemd/system/sssd.service.d/journal.conf # rm /var/log/sssd/*.log # systemctl daemon-reload # systemctl start sssd # journalctl -r | grep 'chown failed' ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 10/23/2015 12:57 PM, Jakub Hrozek wrote: Thank you, I think your approach is correct. Your test essentially tests that testuser2 was on the server but was removed, so only testuser1 is returned. It's correct, but because the interface is able to return more users, I would prefer if we tested that as well. I have one more minor remark inline, but in general, please go ahead and add back the other tests.. Hello Jakub and everyone! The first patch set is attached. The removed tests were: * users_by_filter_valid * users_by_filter_multiple_domains_valid * groups_by_filter_valid * groups_by_filter_multiple_domains_valid This patch set covers users_by_filter_valid by two new tests: * user_by_recent_filter_valid * users_by_recent_filter_valid The first of them tests the recent filter. The seconds tests interface ability to return more users. Regards, Petr >From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 2 Oct 2015 07:34:08 -0400 Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid Test users_by_filter_valid() was removed in past. We will add two new tests instead of it. Logic of those tests is connected to RECENT filter. It returns only records which have been wrote or updated after filter was created (or another given time). users_by_filter_valid() --> user_by_recent_filter_valid() users_by_recent_filter_valid() The first of new tests, user_by_recent_filter_valid(), counts with two users. One is stored before filter request creation and the second user is stored after filter request creation. So filter returns only one user. The second of new tests, users_by_recent_filter_valid(), counts with three users. One is stored before filter request creation and two users are stored after filter request creation. So filter returns two users. This patch adds user_by_recent_filter_valid(). Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 50 + 1 file changed, 50 insertions(+) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) ctx->tctx->done = true; } +void test_user_by_recent_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char *ldbname = NULL; +errno_t ret; + +test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +test_ctx->create_user = true; + +ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001, + NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL, + NULL, 1000, time(NULL)); +assert_int_equal(ret, EOK); + +sleep(1); + +req_mem_ctx = talloc_new(test_ctx->tctx); +check_leaks_push(req_mem_ctx); + +/* Filters always go to DP */ +will_return(__wrap_sss_dp_get_account_send, test_ctx); +mock_account_recv_simple(); + +req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, +test_ctx->rctx, +test_ctx->tctx->dom->name, +"test*"); +assert_non_null(req); + +tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + +ret = test_ev_loop(test_ctx->tctx); +assert_int_equal(ret, ERR_OK); +assert_true(check_leaks_pop(req_mem_ctx)); + +assert_non_null(test_ctx->result); +assert_int_equal(test_ctx->result->count, 1); + +ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_NAME, NULL); +assert_non_null(ldbname); +assert_string_equal(ldbname, TEST_USER_NAME); +} + + void test_users_by_filter_filter_old(void **state) { struct cache_req_test_ctx *test_ctx = NULL; @@ -1476,11 +1523,14 @@ int main(int argc, const char *argv[]) new_multi_domain_test(group_by_id_multiple_domains_found), new_multi_domain_test(group_by_id_multiple_domains_notfound), +new_single_domain_test(user_by_recent_filter_valid), + new_single_domain_test(users_by_filter_filter_old), new_single_domain_test(users_by_filter_notfound), new_multi_domain_test(users_by_filter_multiple_domains_notfound), new_single_domain_test(groups_by_filter_notfound), new_multi_domain_test(groups_by_filter_multiple_domains_notfound), +
Re: [SSSD] [PATCH] Monitor: Show service pings at debug level 8
On 10/27/2015 02:58 PM, Stephen Gallagher wrote: SSSDBG_CONF_SETTINGS is reserved for configuration information. These pings are generally just noise (when they fail, this is logged at SSDBG_FATAL_FAILURE). We should only log these at SSSDBG_TRACE_INTERNAL. Hi Stephen, CI tests are right: http://sssd-ci.duckdns.org/logs/job/31/44/summary.html => ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Review of umask() in SSSD
On 10/12/2015 11:37 AM, Jakub Hrozek wrote: > From a15acee2495ee12190e711f3344e14c54fc73062 Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Wed, 7 Oct 2015 08:57:15 -0400 >Subject: [PATCH 10/11] KRB5_CHILD: More restrictive umask > >We could use more restrictive umask in krb5_child. I found out that >there is directory creation, but it is done by create_ccache_dir() >which has its own umask setup. > >Resolves: >https://fedorahosted.org/sssd/ticket/2424 >--- > src/providers/krb5/krb5_child.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c >index 69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644 >--- a/src/providers/krb5/krb5_child.c >+++ b/src/providers/krb5/krb5_child.c >@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) > #endif > > /* Set a restrictive umask, just in case we end up creating any file */ >-umask(SSS_DFL_X_UMASK); >+umask(SSS_DFL_UMASK); I think this change is OK, as you say, the directories might need the executable flag, but then the directory-creating code should make sure the permissions are more relaxed.. I checked it again. It is OK. btw I tested both FILE ccache: krb5_ccname_template =FILE:/tmp/ccache_%p.XX the result looked OK to me: # ll /tmp/ccache_ad...@ipa.test.KDaxgn -rw---. 1 admin admins 1041 Oct 12 09:14 /tmp/ccache_ad...@ipa.test.KDaxgn and DIR ccache: krb5_ccname_template = DIR:/tmp/ccaches/ccache_%p also looked good: # ll -d/tmp/ccaches/ drwx--. 3 admin admins 4096 Oct 12 09:31/tmp/ccaches/ # ll -d/tmp/ccaches/ccache_ad...@ipa.test/ drwx--. 2 admin admins 4096 Oct 12 09:31/tmp/ccaches/ccache_ad...@ipa.test/ # ll /tmp/ccaches/ccache_ad...@ipa.test -rw---. 1 admin admins 10 Oct 12 09:31 primary -rw---. 1 admin admins 1041 Oct 12 09:31 tktrg2WYD > > /* we create a new context here as the main process one may have been > * opened as root and contain possibly references (even open handles ?) >-- >2.4.3 > > From 6085c5ce86e6ba79f29d2c18f6fceca9bab5cecb Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Wed, 7 Oct 2015 09:32:12 -0400 >Subject: [PATCH 11/11] UTILS: Removing SSS_DFL_X UMASK constant 077 is still used in sss_unique_file(). So we can either use SSS_DFL_X umask there or convert to non-executable umask. Either way, I think it's OK to keep SSS_DFL_X even though it's unused right now for later use. It's just a constant. OK, SSS_DFL_X_UMASK is still here, but not used in code. sss_unique_file is used to generate kdcinfo files, where non-x would be OK because later we fchmod to 644 anyway: ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); ..and also used in gpo_cache_store_file() which uses the same pattern.. I rewrote DFL_X to DFL in sss_unique_file(). ...then also in sss_unique_filename() which is used to create dummy keytabs in ipa_server_trusted_dom_setup_1way(), handle_randomized() and ldap_child_get_tgt_sync(). Now: - ipa_server_trusted_dom_setup_1way() - safe to change, we only use it to get a unique filename, the contents are filled with ipa-getkeytab - handle_randomized() - safe to change, libkrb5 unlinks the unique file later, so we just really need the filename - ldap_child_get_tgt_sync() - ditto, only used as input for krb5_cc_resolve() The third patch is about redudant constant. And at the end, there are may uses of umask() in CI tests, which I leave how they are. They could be test relevant. Maybe I will touch it in some future patch. The last umask like constant is 644, which is connected to chmod(), open(), etc. Do we want to have a constant for it? Regards Petr >From 2613e2f0cf519664136cb2ff2fb6ef30b80b12b2 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Wed, 7 Oct 2015 08:57:15 -0400 Subject: [PATCH 1/3] KRB5_CHILD: More restrictive umask We could use more restrictive umask in krb5_child. I found out that there is directory creation, but it is done by create_ccache_dir() which has its own umask setup. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/providers/krb5/krb5_child.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) #endif /* Set a restrictive umask, just in case we end up creating any file */ -umask(SSS_DFL_X_UMASK); +umask(SSS_DFL_UMASK); /* w
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/10/2015 08:29 AM, Pavel Reichl wrote: On 11/05/2015 05:29 PM, Petr Cech wrote: +void test_groups_by_recent_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char **group_names = NULL; +const char **ldb_results = NULL; +const char *ldbname = NULL; +void *tmp_ctx = NULL; Could you use TALLOC_CTX? Yes, I could :-) +errno_t ret; + +test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +test_ctx->create_group1 = true; +test_ctx->create_group2 = true; + +ret = sysdb_store_group(test_ctx->tctx->dom, TEST_GROUP_NAME2, +1001, NULL, 1001, time(NULL)); +assert_int_equal(ret, EOK); + +sleep(1); + +req_mem_ctx = talloc_new(global_talloc_context); +check_leaks_push(req_mem_ctx); + +/* Filters always go to DP */ +will_return(__wrap_sss_dp_get_account_send, test_ctx); +mock_account_recv_simple(); + +/* Group TEST_GROUP1 and TEST_GROUP2 are created with a DP callback. */ +req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); +assert_non_null(req); + +tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + +ret = test_ev_loop(test_ctx->tctx); +assert_int_equal(ret, ERR_OK); +assert_true(check_leaks_pop(req_mem_ctx)); + +assert_non_null(test_ctx->result); +assert_int_equal(test_ctx->result->count, 2); + +tmp_ctx = talloc_zero(NULL, void *); Why not to use talloc_new(parent_ctx)? + +group_names = talloc_array(tmp_ctx, const char *, 2); +assert_non_null(group_names); +group_names[0] = TEST_GROUP_NAME; +group_names[1] = TEST_GROUP_NAME2; + +ldb_results = talloc_array(tmp_ctx, const char *, 2); +assert_non_null(ldb_results); +for (int i = 0; i < 2; ++i) { +ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[i], + SYSDB_NAME, NULL); +assert_non_null(ldbname); +ldb_results[i] = ldbname; +} + +assert_string_not_equal(ldb_results[0], ldb_results[1]); + +assert_true(are_values_in_ldb_result(ldb_results, group_names)); + +talloc_zfree(tmp_ctx); +} Thanks! Your comments will be addressed in nex patchset. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/10/2015 08:37 AM, Lukas Slebodnik wrote: On (10/11/15 08:29), Pavel Reichl wrote: On 11/05/2015 05:29 PM, Petr Cech wrote: +void test_groups_by_recent_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char **group_names = NULL; +const char **ldb_results = NULL; +const char *ldbname = NULL; +void *tmp_ctx = NULL; Could you use TALLOC_CTX? Why do we need two different talloc context in a test? "TALLOC_CTX *req_mem_ctx", "void *tmp_ctx" If we properly release resources we can use single talloc context. It's the best way how to catch memory leaks. LS Right, I will change void *tmp_ctx to TALLOC_CTX *tmp_ctx and I will create it under req_mem_ctx. I feel it will be more clear and readable. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/09/2015 04:28 PM, Jakub Hrozek wrote: On Thu, Nov 05, 2015 at 05:29:25PM +0100, Petr Cech wrote: >On 11/04/2015 11:11 AM, Jakub Hrozek wrote: > >Hi, > > > >Sorry it took so long to get back to the review. I only have some minor > >comments, see inline.. > > > >Because the group patches are more or less equivalent, I'll just comment > >here. If you agree with the comments, please also change the group tests > >and resend in a single set. > > > >Thanks for the tests! > > > >>> From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001 > >>>From: Petr Cech<pc...@redhat.com> > >>>Date: Fri, 2 Oct 2015 07:34:08 -0400 > >>>Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid > >>> > >>>Test users_by_filter_valid() was removed in past. We will add two new > >>>tests instead of it. Logic of those tests is connected to RECENT > >>>filter. It returns only records which have been wrote or updated after > >>>filter was created (or another given time). > >>> > >>>users_by_filter_valid() --> user_by_recent_filter_valid() > >>> users_by_recent_filter_valid() > >>> > >>>The first of new tests, user_by_recent_filter_valid(), counts with two > >>>users. One is stored before filter request creation and the second user > >>>is stored after filter request creation. So filter returns only one > >>>user. > >>> > >>>The second of new tests, users_by_recent_filter_valid(), counts with > >>>three users. One is stored before filter request creation and two users > >>>are stored after filter request creation. So filter returns two users. > >>> > >>>This patch adds user_by_recent_filter_valid(). > >>> > >>>Resolves: > >>>https://fedorahosted.org/sssd/ticket/2730 > >>>--- > >>> src/tests/cmocka/test_responder_cache_req.c | 50 + > >>> 1 file changed, 50 insertions(+) > >>> > >>>diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c > >>>index 744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 100644 > >>>--- a/src/tests/cmocka/test_responder_cache_req.c > >>>+++ b/src/tests/cmocka/test_responder_cache_req.c > >>>@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) > >>> ctx->tctx->done = true; > >>> } > >>> > >>>+void test_user_by_recent_filter_valid(void **state) > >>>+{ > >>>+struct cache_req_test_ctx *test_ctx = NULL; > >>>+TALLOC_CTX *req_mem_ctx = NULL; > >>>+struct tevent_req *req = NULL; > >>>+const char *ldbname = NULL; > >>>+errno_t ret; > >>>+ > >>>+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); > >>>+test_ctx->create_user = true; > >>>+ > >>>+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001, > >>>+ NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL, > >>>+ NULL, 1000, time(NULL)); > >>>+assert_int_equal(ret, EOK); > >>>+ > >>>+sleep(1); > >The purpose of the sleep() here is just to make sure the entry was > >created in the past, right? Would it be equally safe to create the user > >with timestamp time(NULL)-1 to make the test faster? > > > >>>+ > >>>+req_mem_ctx = talloc_new(test_ctx->tctx); > >>>+check_leaks_push(req_mem_ctx); > >>>+ > >>>+/* Filters always go to DP */ > >>>+will_return(__wrap_sss_dp_get_account_send, test_ctx); > >>>+mock_account_recv_simple(); > >Can you add a comment that the TEST_USER is created with a DP callback > >here? > > > >>>+ > >>>+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, > >>>+test_ctx->rctx, > >>>+ test_ctx->tctx->dom->name, > >>>+"test*"); > >It would read nicer if we had a constant TEST_USER_PREFIX "test_user" #defined, > >or even TEST_USER_
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/11/2015 09:32 AM, Jakub Hrozek wrote: >Hi Jakub, > >I just sent the patch to the CI tests and they passed >http://sssd-ci.duckdns.org/logs/job/32/63/summary.html > > >Then I would prefer undocumented. It matches how we (don't) document the > >"command" option. >I agree with little exception. I think it could be more clear if we write >little documentation to commit message or to the code near the new option. >But, how everybody wrote, we could leave man page without documentation. Good idea, I can move the documentation that was previously in the man page to the commit message, would that work for you? Yes, it works for me. I am going to 1/2 PTO for now. The last two things are that I would like to run it due to your reproducer. And there is a remark from Stephen Gallagher which we need resolve. However, CI tests passed. So if you're in a hurry with code review, please ask someone else. I can continue with review tomorrow. Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] IPA_PROVIDER: Explicit no handle of services
Hello, please see first attempt of patch for: https://fedorahosted.org/sssd/ticket/2747 Regards Petr PS: # reproducer getent services -s sss l...@cygnus.dev >From 64d952f188e86a00c26ccbe26ad09231e6b6de2b Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 9 Nov 2015 09:51:05 -0500 Subject: [PATCH] IPA_PROVIDER: Explicit no handle of services FreeIPA can't handle services, so we can say explicitly there is no services in get_object_from_cache() function. And we return EINVAL if somebody tries to find services in IPA. Resolves: https://fedorahosted.org/sssd/ticket/2747 --- src/providers/ipa/ipa_subdomains_id.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 472985d4ab4f785aa9c4af94bf8021829ca1c3c8..be050cc39c8446b2a92207ee2dad12f66032244f 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -915,6 +915,11 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, NULL }; char *name; +if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_SERVICES) { +ret = EINVAL; +goto done; +} + if (ar->filter_type == BE_FILTER_SECID) { ret = sysdb_search_object_by_sid(mem_ctx, dom, ar->filter_value, attrs, ); -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/09/2015 07:17 PM, Stephen Gallagher wrote: There are problems inherent with passing the PID to the child process. There's no guarantee that the process still exists. In the worst-case, the PID could actually be reassigned to a new process and the output you got back from something like pstack could be reading from a different executable entirely. +1 I am sorry I didn't see big picture. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
On 11/10/2015 10:44 AM, Lukas Slebodnik wrote: ehlo, The function gettext was not detected properly with strict cflags even thought it was part of glibc. sh$ CFLAGS="-Werror" ./configure sh$ grep gt_cv_func_gnugettext config.log gt_cv_func_gnugettext1_libc=no gt_cv_func_gnugettext1_libintl=no sh$ objdump -T /lib64/libc.so.6 | grep gettext 0002fc60 w DF .text 0010 GLIBC_2.2.5 dcngettext 0002dc70 w DF .text 000f GLIBC_2.2.5 dcgettext 0002fc80 w DF .text 0016 GLIBC_2.2.5 ngettext 0002dc90 w DF .text 000f GLIBC_2.2.5 gettext 0002dc70 gDF .text 000f GLIBC_2.2.5 __dcgettext 0002dc80 w DF .text 000a GLIBC_2.2.5 dgettext 0002dc80 gDF .text 000a GLIBC_2.2.5 __dgettext With attached patch situation is better. q sh$ autoreconf sh$ CFLAGS="-Werror" ./configure sh$ grep gt_cv_func_gnugettext config.log gt_cv_func_gnugettext1_libc=yes LS 0001-CONFIGURE-Bump-AM_GNU_GETTEXT_VERSION.patch From c60c2e870d140e127bca69eb03bba30988c1dec4 Mon Sep 17 00:00:00 2001 From: Lukas SlebodnikDate: Tue, 10 Nov 2015 10:39:07 +0100 Subject: [PATCH] CONFIGURE: Bump AM_GNU_GETTEXT_VERSION The function gettext was not detected properly with strict cflags even thought it was part of glibc. sh$ CFLAGS="-Werror" ./configure sh$ grep gt_cv_func_gnugettext config.log gt_cv_func_gnugettext1_libc=no gt_cv_func_gnugettext1_libintl=no sh$ objdump -T /lib64/libc.so.6 | grep gettext 0002fc60 w DF .text 0010 GLIBC_2.2.5 dcngettext 0002dc70 w DF .text 000f GLIBC_2.2.5 dcgettext 0002fc80 w DF .text 0016 GLIBC_2.2.5 ngettext 0002dc90 w DF .text 000f GLIBC_2.2.5 gettext 0002dc70 gDF .text 000f GLIBC_2.2.5 __dcgettext 0002dc80 w DF .text 000a GLIBC_2.2.5 dgettext 0002dc80 gDF .text 000a GLIBC_2.2.5 __dgettext 0002fc70 w DF .text 000b GLIBC_2.2.5 dngettext --- Hi Lukas, CI tests passed: http://sssd-ci.duckdns.org/logs/job/32/64/summary.html => ACK Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/11/2015 12:25 PM, Jakub Hrozek wrote: On Wed, Nov 11, 2015 at 11:07:46AM +0100, Petr Cech wrote: >On 11/11/2015 09:32 AM, Jakub Hrozek wrote: > >>>Hi Jakub, > >>> > >>>I just sent the patch to the CI tests and they passed > >>>http://sssd-ci.duckdns.org/logs/job/32/63/summary.html > >>> > >>>> >Then I would prefer undocumented. It matches how we (don't) document the > >>>> >"command" option. > >>>I agree with little exception. I think it could be more clear if we write > >>>little documentation to commit message or to the code near the new option. > >>>But, how everybody wrote, we could leave man page without documentation. > >Good idea, I can move the documentation that was previously in the man > >page to the commit message, would that work for you? > >Yes, it works for me. > >I am going to 1/2 PTO for now. > >The last two things are that I would like to run it due to your reproducer. >And there is a remark from Stephen Gallagher which we need resolve. > >However, CI tests passed. So if you're in a hurry with code review, please >ask someone else. > >I can continue with review tomorrow. I'm not in hurry at all. Attached is a patch that adds a better commit message. We can discuss any details related to testing over IRC if you prefer. Hi Jakub, it works due to your reproducer. It is really need to have setenforce == 1 CI tests passed: http://sssd-ci.duckdns.org/logs/job/32/25/summary.html Stephen Gallagher wrote (2015-09-11 11:32 AM): There are problems inherent with passing the PID to the child process. There's no guarantee that the process still exists. In the worst-case, the PID could actually be reassigned to a new process and the output you got back from something like pstack could be reading from a different executable entirely. --- I understand, it could be dangerous. But, this option is a little bit secret, we don't write about it in our man pages and so on. I hope it will be used only for debuging some hot cases. There are only little remarks in patch. => ACK Regrds Petr PS: I accepted that we have # p = copy; not something like: # copy_ptr = copy; How I suggested previous mail. 0001-SSSD-Add-a-new-command-diag_cmd.patch From ee4135adf6669221de575ebc92e7b3aabba55ba9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek<jhro...@redhat.com> Date: Mon, 2 Nov 2015 11:41:31 +0100 Subject: [PATCH] SSSD: Add a new command diag_cmd This command is an optional one that is run when a sbus ping times out and before a SIGKILL commans is sent. ---^--- s -> d diag_cmd (string): A command that should be run for diagnostic purpose when an sbus timeout fails. The option value may contain %p which would be expanded for the process ID of the process that timed out Example: pstack %p This setting would print the stackstrace of the command whose ping timed out. Default: not set. --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/SSSDConfigTest.py | 1 + src/config/etc/sssd.api.conf | 1 + src/monitor/monitor.c| 215 +++ 5 files changed, 197 insertions(+), 22 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 37b5fd7c7629e2618a1699e3ffd58110171db605..0ef7268f9cdc2c18482bbf7b8dbe19d3ef6b7bbf 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -71,6 +71,7 @@ #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" #define CONFDB_MONITOR_USER_RUNAS "user" +#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd" /* Both monitor and domains */ #define CONFDB_NAME_REGEX "re_expression" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index bf61c402796122050fa43cf41128faec4771c5d2..60129e6e7fbc96d11c539323346c22a7db6d7f23 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -50,6 +50,7 @@ option_strings = { 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), 'client_idle_timeout' : _('Idle time before automatic disconnection of a client'), +'diag_cmd' : _('The command to run when a service ping times out'), # [sssd] 'services' : _('SSSD Services to start'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 45562214da5d227b45914abbcb298e043048adf5..abd4a39258e060f27db62eb2352450b6c405930c 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -307,6 +307,7 @@ class SSSDConfigTestSSSDServi
Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider
On 11/11/2015 02:28 PM, Jakub Hrozek wrote: Hi, I think one of the prime reasons for #2861 was copy-pasting code. The two attached patches reduce the code duplication and hopefully will make future additions to Data Provider safer. Ideas on different solutions are welcome! Hi Jakub, I am afraid that the first patch is inapplicable. It is build up on 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 commit but there is no such commit. Regards Petr 0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch From f6e929d4132a23d23a9016e43f4b870780c53032 Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Wed, 11 Nov 2015 13:39:43 +0100 Subject: [PATCH 1/2] DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. --- pcech@albireo ~/sssd: (master) $ git am ../patch/0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch Applying: DP: Reduce code duplication in the callback handlers error: patch failed: src/providers/data_provider_be.c:661 error: src/providers/data_provider_be.c: patch does not apply Patch failed at 0001 DP: Reduce code duplication in the callback handlers The copy of the patch that failed is found in: /home/pcech/sssd/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". pcech@albireo ~/sssd: (master) $ git am --abort pcech@albireo ~/sssd: (master) $ git am -i3 ../patch/0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch Commit Body is: -- DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. -- Apply? [y]es/[n]o/[e]dit/[v]iew patch/[a]ccept all a Applying: DP: Reduce code duplication in the callback handlers error: invalid object 100644 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 for 'src/providers/data_provider_be.c' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Patch failed at 0001 DP: Reduce code duplication in the callback handlers The copy of the patch that failed is found in: /home/pcech/sssd/.git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider
On 11/12/2015 01:08 PM, Jakub Hrozek wrote: On Thu, Nov 12, 2015 at 01:03:33PM +0100, Petr Cech wrote: >On 11/11/2015 02:28 PM, Jakub Hrozek wrote: > >Hi, > > > >I think one of the prime reasons for #2861 was copy-pasting code. The > >two attached patches reduce the code duplication and hopefully will make > >future additions to Data Provider safer. > > > >Ideas on different solutions are welcome! > > >Hi Jakub, > >I am afraid that the first patch is inapplicable. >It is build up on 562a15a2d156b4b062acbf1f4e44e4cb7a4058d2 commit but there >is no such commit. > >Regards Ah, I'm sorry I should have said earlier that the patches must be applied atop the patches in thread called "[PATCH] Guard against invalid DP messages". These code refactoring patches are not that important, we can wait with review until the other thread is pushed. Well, I looked at thread called "[PATCH] Guard against invalid DP messages". Those patches are still under review. So I will wait for their pushing to the code base. Please, ping this thread after it. Thank you Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/12/2015 06:30 PM, Jakub Hrozek wrote: On Thu, Nov 12, 2015 at 10:49:33AM +0100, Petr Cech wrote: >On 11/11/2015 12:25 PM, Jakub Hrozek wrote: > >On Wed, Nov 11, 2015 at 11:07:46AM +0100, Petr Cech wrote: > >>>On 11/11/2015 09:32 AM, Jakub Hrozek wrote: > >>>>>> >>>Hi Jakub, > >>>>>> >>> > >>>>>> >>>I just sent the patch to the CI tests and they passed > >>>>>> >>>http://sssd-ci.duckdns.org/logs/job/32/63/summary.html > >>>>>> >>> > >>>>>>>> >>>> >Then I would prefer undocumented. It matches how we (don't) document the > >>>>>>>> >>>> >"command" option. > >>>>>> >>>I agree with little exception. I think it could be more clear if we write > >>>>>> >>>little documentation to commit message or to the code near the new option. > >>>>>> >>>But, how everybody wrote, we could leave man page without documentation. > >>>> >Good idea, I can move the documentation that was previously in the man > >>>> >page to the commit message, would that work for you? > >>> > >>>Yes, it works for me. > >>> > >>>I am going to 1/2 PTO for now. > >>> > >>>The last two things are that I would like to run it due to your reproducer. > >>>And there is a remark from Stephen Gallagher which we need resolve. > >>> > >>>However, CI tests passed. So if you're in a hurry with code review, please > >>>ask someone else. > >>> > >>>I can continue with review tomorrow. > >I'm not in hurry at all. Attached is a patch that adds a better commit > >message. We can discuss any details related to testing over IRC if you > >prefer. >Hi Jakub, > >it works due to your reproducer. It is really need to have >setenforce == 1 You meant setenforce 0, right? Hi Jakub, yes, of course, I meant setenforce 1. It was mistake. > >CI tests passed: >http://sssd-ci.duckdns.org/logs/job/32/25/summary.html > >Stephen Gallagher wrote (2015-09-11 11:32 AM): >There are problems inherent with passing the PID to the child process. >There's no guarantee that the process still exists. In the worst-case, >the PID could actually be reassigned to a new process and the output >you got back from something like pstack could be reading from a >different executable entirely. >--- >I understand, it could be dangerous. But, this option is a little bit >secret, we don't write about it in our man pages and so on. I hope it will >be used only for debuging some hot cases. Yes, Stephen is right, but if this option is only used for debugging, then I think we're fine. I would really prefer to have this undocumented option rather than run blind in case services get stuck.. Yes, I agreee. We can use this way because it is only for debugging. The real solution here would be to use systemd for service management. Good point. Thank you for remark. > >There are only little remarks in patch. > >=> ACK Then it should be a nack, don't let sloppy patches through:-) OK I will be more restrictive. > >Regrds > >Petr > >PS: I accepted that we have ># p = copy; >not something like: ># copy_ptr = copy; >How I suggested previous mail. Sorry, I overlooked that previously. It's an honest mistake, I didn't want to ignore you. Feel free to just push again for changes you like next time, each suggestion should be discussed and either accepted or rejected (with good reason). OK. > > >0001-SSSD-Add-a-new-command-diag_cmd.patch > > > > > > From ee4135adf6669221de575ebc92e7b3aabba55ba9 Mon Sep 17 00:00:00 2001 > >From: Jakub Hrozek<jhro...@redhat.com> > >Date: Mon, 2 Nov 2015 11:41:31 +0100 > >Subject: [PATCH] SSSD: Add a new command diag_cmd > > > >This command is an optional one that is run when a sbus ping times out > >and before a SIGKILL commans is sent. > ---^--- s -> d Fixed OK. [...] > >@@ -1065,6 +1237,18 @@ static errno_t get_ping_config(struct mt_ctx *ctx, const char *path, > >"Time between service pings for [%s]: [%d]\n", > > svc->name, svc->ping_time); > > > >+ret = confdb_get_string(ctx->cdb, svc, path, > >+CONFDB_MONITOR_PRE_KILL_CMD, > >+NULL, >diag_cmd); > >+if (ret != EOK) { > >+DEBUG(SSSDBG_CRIT_FAILURE, > >+
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
bump ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/13/2015 11:32 AM, Jakub Hrozek wrote: On Fri, Nov 13, 2015 at 10:52:08AM +0100, Petr Cech wrote: >On 11/13/2015 10:30 AM, Petr Cech wrote: > >On 11/13/2015 10:27 AM, Petr Cech wrote: > >> > >>Patches are rebased now. I hope it will be ok now. > >> > >>Petr > >Sorry, now my local CI tests failed... I will rebase it again. > >Well, now it is right. Local CI tests passed. There has been patch: > > "TESTS: Fix warnings -Wshadow": > commit df9e9a1f9b7dc255eb62c390163c25917b08f5a2 > Refs: sssd-1_13_1-137-gdf9e9a1 > Author: Lukas Slebodnik<lsleb...@redhat.com> > AuthorDate: Mon Nov 9 10:59:55 2015 +0100 > Commit: Jakub Hrozek<jhro...@redhat.com> > CommitDate: Tue Nov 10 15:34:41 2015 +0100 > >There is change ># - time_t time) ># + time_t transaction_time) >in static void prepare_user(). >My patches were in conflict with it. > >Regards > >Petr > From 3ce6073dda27fd7a4626f5cbac1c765274ca5fe0 Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Fri, 2 Oct 2015 07:34:08 -0400 >Subject: [PATCH 1/8] TEST: Add test_user_by_recent_filter_valid > >Test users_by_filter_valid() was removed in past. We will add two new >tests instead of it. Logic of those tests is connected to RECENT >filter. It returns only records which have been wrote or updated after >filter was created (or another given time). > >users_by_filter_valid() --> user_by_recent_filter_valid() > users_by_recent_filter_valid() > >The first of new tests, user_by_recent_filter_valid(), counts with two >users. One is stored before filter request creation and the second user >is stored after filter request creation. So filter returns only one >user. > >The second of new tests, users_by_recent_filter_valid(), counts with >three users. One is stored before filter request creation and two users >are stored after filter request creation. So filter returns two users. > >This patch adds user_by_recent_filter_valid(). > >Resolves: >https://fedorahosted.org/sssd/ticket/2730 >--- > src/tests/cmocka/test_responder_cache_req.c | 50 + > 1 file changed, 50 insertions(+) > >diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c >index 85d986bd7d159dc238bce4bc770272d18288f2dd..14a40ae6e56b2f6d0b18608bac09bc4680245153 100644 >--- a/src/tests/cmocka/test_responder_cache_req.c >+++ b/src/tests/cmocka/test_responder_cache_req.c >@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) > ctx->tctx->done = true; > } > >+void test_user_by_recent_filter_valid(void **state) >+{ >+struct cache_req_test_ctx *test_ctx = NULL; >+TALLOC_CTX *req_mem_ctx = NULL; >+struct tevent_req *req = NULL; >+const char *ldbname = NULL; >+errno_t ret; >+ >+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); >+test_ctx->create_user = true; >+ >+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, >+ "pwd", 1001, 1001, NULL, NULL, NULL, >+ "cn="TEST_USER_NAME2",dc=test", >+ NULL, NULL, 1000, time(NULL)-1); >+assert_int_equal(ret, EOK); >+ >+req_mem_ctx = talloc_new(test_ctx->tctx); >+check_leaks_push(req_mem_ctx); I think the last question is whether we want to use this new context or just call check_leaks_push(test_ctx) recursively. I don't really mind too much, both would work for me. Unless someone opposes, I would push the patch as-is. OK. >+ >+/* Filters always go to DP */ >+will_return(__wrap_sss_dp_get_account_send, test_ctx); >+mock_account_recv_simple(); >+ >+/* User TEST_USER is created with a DP callback. */ >+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, >+test_ctx->rctx, >+test_ctx->tctx->dom->name, >+"test*"); >+assert_non_null(req); > From df9717ca932f95f55b528024829758dd9b2f2f56 Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Wed, 4 Nov 2015 06:50:33 -0500 >Subject: [PATCH 2/8] TEST: Refactor of test_responder_cache_req.c > >This patch only defines constant TEST_USER_FILTER. So code will be more TEST_USER_PREFIX is defined. Fixed. The code is fine. > From ae448cc95f9ab9fbca3ab
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/13/2015 12:27 PM, Jakub Hrozek wrote: +req_mem_ctx = talloc_new(test_ctx->tctx); > >>+check_leaks_push(req_mem_ctx); > > > >I think the last question is whether we want to use this new context or > >just call check_leaks_push(test_ctx) recursively. I don't really mind > >too much, both would work for me. > > > >Unless someone opposes, I would push the patch as-is. > > >I have a different question. (i haven't read patches yet) >But I can see that check_leaks_push is called after sysdb_store_user. > >I would like to know why. >because we shout try to check leaks "caused" in this function. Wouldn't these leaks be caught by leaks checks that are pushed in setup() and popped in teardown() ? I found out that we use only this expression in test code: req_mem_ctx = talloc_new(global_talloc_context); check_leaks_push(req_mem_ctx); So it is possible that I added this check in vain. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/13/2015 08:20 AM, Petr Cech wrote: >Hi Jakub, > >it works due to your reproducer. It is really need to have >setenforce == 1 You meant setenforce 0, right? Hi Jakub, yes, of course, I meant setenforce 1. It was mistake. --^-- 1 --> 0 I did little mistake again. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/13/2015 10:09 AM, Jakub Hrozek wrote: Hi, patch 003 doesn't apply cleanly for me, can you rebase? Patches are rebased now. I hope it will be ok now. Petr >From 3e43417db9b66bdb44d60b5f186156c5ac26ad4b Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 2 Oct 2015 07:34:08 -0400 Subject: [PATCH 1/8] TEST: Add test_user_by_recent_filter_valid Test users_by_filter_valid() was removed in past. We will add two new tests instead of it. Logic of those tests is connected to RECENT filter. It returns only records which have been wrote or updated after filter was created (or another given time). users_by_filter_valid() --> user_by_recent_filter_valid() users_by_recent_filter_valid() The first of new tests, user_by_recent_filter_valid(), counts with two users. One is stored before filter request creation and the second user is stored after filter request creation. So filter returns only one user. The second of new tests, users_by_recent_filter_valid(), counts with three users. One is stored before filter request creation and two users are stored after filter request creation. So filter returns two users. This patch adds user_by_recent_filter_valid(). Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 50 + 1 file changed, 50 insertions(+) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 85d986bd7d159dc238bce4bc770272d18288f2dd..14a40ae6e56b2f6d0b18608bac09bc4680245153 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) ctx->tctx->done = true; } +void test_user_by_recent_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char *ldbname = NULL; +errno_t ret; + +test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +test_ctx->create_user = true; + +ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, + "pwd", 1001, 1001, NULL, NULL, NULL, + "cn="TEST_USER_NAME2",dc=test", + NULL, NULL, 1000, time(NULL)-1); +assert_int_equal(ret, EOK); + +req_mem_ctx = talloc_new(test_ctx->tctx); +check_leaks_push(req_mem_ctx); + +/* Filters always go to DP */ +will_return(__wrap_sss_dp_get_account_send, test_ctx); +mock_account_recv_simple(); + +/* User TEST_USER is created with a DP callback. */ +req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, +test_ctx->rctx, +test_ctx->tctx->dom->name, +"test*"); +assert_non_null(req); + +tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + +ret = test_ev_loop(test_ctx->tctx); +assert_int_equal(ret, ERR_OK); +assert_true(check_leaks_pop(req_mem_ctx)); + +assert_non_null(test_ctx->result); +assert_int_equal(test_ctx->result->count, 1); + +ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_NAME, NULL); +assert_non_null(ldbname); +assert_string_equal(ldbname, TEST_USER_NAME); +} + + void test_users_by_filter_filter_old(void **state) { struct cache_req_test_ctx *test_ctx = NULL; @@ -1476,11 +1523,14 @@ int main(int argc, const char *argv[]) new_multi_domain_test(group_by_id_multiple_domains_found), new_multi_domain_test(group_by_id_multiple_domains_notfound), +new_single_domain_test(user_by_recent_filter_valid), + new_single_domain_test(users_by_filter_filter_old), new_single_domain_test(users_by_filter_notfound), new_multi_domain_test(users_by_filter_multiple_domains_notfound), new_single_domain_test(groups_by_filter_notfound), new_multi_domain_test(groups_by_filter_multiple_domains_notfound), + }; /* Set debug level to invalid value so we can deside if -d 0 was used. */ -- 2.4.3 >From 94d583476335324c4f4b62e547a74241582f807f Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Wed, 4 Nov 2015 06:50:33 -0500 Subject: [PATCH 2/8] TEST: Refactor of test_responder_cache_req.c This patch only defines constant TEST_USER_FILTER. So code will be more redeable. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_ca
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/13/2015 10:27 AM, Petr Cech wrote: Patches are rebased now. I hope it will be ok now. Petr Sorry, now my local CI tests failed... I will rebase it again. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Reduce the code duplication in Data Provider
On 11/11/2015 02:28 PM, Jakub Hrozek wrote: Hi, I think one of the prime reasons for #2861 was copy-pasting code. The two attached patches reduce the code duplication and hopefully will make future additions to Data Provider safer. Ideas on different solutions are welcome! Hello Jakub, I see that the previous thread is pushed. So I have started to do review of those patch. Unfortunately the CI tests environment seems to be broken at all, however, local tests passed. Anyway, I have one little question, look to the second patch. 0001-DP-Reduce-code-duplication-in-the-callback-handlers.patch From f6e929d4132a23d23a9016e43f4b870780c53032 Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Wed, 11 Nov 2015 13:39:43 +0100 Subject: [PATCH 1/2] DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. > --- [...] 0002-DP-Reduce-code-duplication-in-Data-Provider-handlers.patch From caeee4a21bda233f0ec8b08b87a0695029e9af8f Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 11 Nov 2015 13:40:16 +0100 Subject: [PATCH 2/2] DP: Reduce code duplication in Data Provider handlers Instead of setting the three same variables over again, add a structure be_sbus_reply_data with a default initializer BE_SBUS_REPLY_DATA_INIT. The handlers can then set the structure to BE_SBUS_REPLY_DATA_INIT on declaration or set a particular value with be_sbus_reply_data_set. The handler can also reply to the message (typically on failure state) with be_sbus_req_reply_data() --- src/providers/data_provider_be.c | 266 +++ 1 file changed, 98 insertions(+), 168 deletions(-) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index eb2f49adce5f5313f31c67b1dfdd21685e69ca3a..de8a8357b8230eddb7f49fff021957c3f580c64e 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -319,6 +319,36 @@ static errno_t be_offline_reply(struct sbus_request **sbus_req_ptr, return ret; } +struct be_sbus_reply_data { +dbus_uint16_t err_maj; +dbus_uint32_t err_min; +const char *err_msg; +}; + +#define BE_SBUS_REPLY_DATA_INIT { .err_maj = DP_ERR_FATAL, \ --^-- What does this dot means? It is first time that I see it. Could you explain it to me, please? Is it some kind of syntactic sugar? Regards Petr + .err_min = EFAULT, \ + .err_msg = "Fatal error" \ +}; ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] IPA_PROVIDER: Explicit no handle of services
On 11/11/2015 02:42 PM, Jakub Hrozek wrote: Hi, I think it's a good idea to only say we don't handle services for IPA subdomains. But I also think it would be better to shortcut the request sooner, in ipa_subdomain_account_send() to avoid even sending an LDAP query. Hi Jakub, new patch is attached. During the testing... I found out, that I use wrong set up. Subdomains are connected to FreeIPA with trusted AD. So... patch is here, but I would like set up my environment properly and then I will inform you :-) Regards Petr >From a7d1a734489434df07d7663deb201bac10f01891 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 9 Nov 2015 09:51:05 -0500 Subject: [PATCH] IPA_PROVIDER: Explicit no handle of services Services for IPA subdomains aren't handled by SSSD. This patch add quick shortcut to avoid sending an LDAP query. Resolves: https://fedorahosted.org/sssd/ticket/2747 --- src/providers/ipa/ipa_subdomains_id.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 472985d4ab4f785aa9c4af94bf8021829ca1c3c8..66898eb136dd09da5ca034f0e7ba0f54b075fcab 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -81,6 +81,12 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx, struct tevent_req *subreq; int ret; +if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_SERVICES) { +DEBUG(SSSDBG_OP_FAILURE, + "Services for IPA subdomains aren't handled by SSSD.\n"); +return NULL; +} + req = tevent_req_create(memctx, , struct ipa_subdomain_account_state); if (req == NULL) { DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] UTIL: Fix memory leak in switch_creds
On 11/11/2015 08:04 AM, Lukas Slebodnik wrote: On (11/11/15 07:58), Petr Cech wrote: >On 11/09/2015 08:06 AM, Lukas Slebodnik wrote: >>ehlo, >> >>You can see a leak in talloc report. >>But it was ignored. So we didn't notice it for long time. >>http://sssd-ci.duckdns.org/logs/job/29/90/rhel7/ci-build-debug/src/tests/cwrap/become_user-tests.log >> >>The first patch fixes the leak and the last one is prevention >>for such mistakes in future. >> >>LS >> >Hi Lukáš, > >CI tests passed. > Could you send a link? LS Yes, of course, I could. And... there is it: http://sssd-ci.duckdns.org/logs/job/32/54/summary.html Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCHES] UTIL: Fix memory leak in switch_creds
On 11/09/2015 08:06 AM, Lukas Slebodnik wrote: ehlo, You can see a leak in talloc report. But it was ignored. So we didn't notice it for long time. http://sssd-ci.duckdns.org/logs/job/29/90/rhel7/ci-build-debug/src/tests/cwrap/become_user-tests.log The first patch fixes the leak and the last one is prevention for such mistakes in future. LS Hi Lukáš, CI tests passed. 0001-UTIL-Fix-memory-leak-in-switch_creds.patch From 219d1bdd378f0a8c17a508e1f3e29a2d5435f4d0 Mon Sep 17 00:00:00 2001 From: Lukas SlebodnikDate: Sat, 24 Oct 2015 14:19:11 +0200 Subject: [PATCH 1/5] UTIL: Fix memory leak in switch_creds If we are already requested used then we needn't to call setreeuid(), setresgid(). But we forgot to relase local struct sss_creds *ssc, which is used for returnig saved credentials. --- ACK 0002-TESTS-Initialize-leak-check.patch From 318b862f473daf9606bf7752283a63b36934908b Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 24 Oct 2015 15:39:21 +0200 Subject: [PATCH 2/5] TESTS: Initialize leak check If leak_check_setup is not called then global_talloc_context was not initialized and check_leaks_pop(global_talloc_context) will fail. --- ACK 0003-TESTS-Check-return-value-of-check_leaks_pop.patch From 21bf7449bb53209ad24c0ec4079a5810bb6f707b Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 24 Oct 2015 15:15:39 +0200 Subject: [PATCH 3/5] TESTS: Check return value of check_leaks_pop --- ACK 0004-TESTS-Make-check_leaks-static-function.patch From 7e95820146c58e68d9cdf356198d18a3f748ff81 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 6 Nov 2015 15:13:29 +0100 Subject: [PATCH 4/5] TESTS: Make check_leaks static function --- ACK 0005-TESTS-Add-warning-for-unused-result-of-leak-check-fu.patch From d9e428b18c3282fc877683b1a8228665c5f9d48a Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 24 Oct 2015 15:48:26 +0200 Subject: [PATCH 5/5] TESTS: Add warning for unused result of leak check functions --- ACK Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/10/2015 04:20 PM, Jakub Hrozek wrote: On Tue, Nov 10, 2015 at 01:22:54PM +0100, Lukas Slebodnik wrote: >On (10/11/15 13:15), Jakub Hrozek wrote: > >On Mon, Nov 09, 2015 at 11:32:30AM +0100, Petr Cech wrote: > >>On 11/04/2015 11:24 AM, Jakub Hrozek wrote: > >> >Hi, > >> > > >> >I created this patch to try to diagnose an issue where sssd would > >> >randomly restart on any of machines in a VM cluster without giving too > >> >much advise why. I think it might be useful to merge in general. > >> > >>Hi Jakub, > >> > >>I reviewed the patch. Code looks good to me. > >>CI tests passed:http://sssd-ci.duckdns.org/logs/job/32/25/summary.html > >> > >>Then I tried to test new functionality. > >> > >>Man pages are right, I found diag_cmd in sssd.conf. > >> > >>And I really got the right message when I kill sss_pam: > >># (Mon Nov 9 04:30:47 2015) [sssd] [svc_child_info] (0x0040): Child [25767] > >>terminated with signal [9] > >> > >>I would like to see output of pstack, but I don't know, how to get the right > >>state of SSSD. Can you help me, please? > > > >I tested the patch by setting a low 'timeout' in the 'domain' section > >and then setting the diag_cmd: > >[domain/foo] > >timeout = 2 > >diag_cmd = pstack %p > > > >then I stopped the back end: > ># kill -STOP $(pidof sssd_be) > > > >You should see the pstack output in /var/log/sssd/sssd.log, also the > >debug_level must be increased in the [sssd] section. You might also need > >to set SELinux to Permissive, otherwise sssd might not be able to fork > >an exec pstack.. >So in this case I would prefer if this opton was not documented. >or it should be documented issues with SELinux > Hi Jakub, I just sent the patch to the CI tests and they passed http://sssd-ci.duckdns.org/logs/job/32/63/summary.html Then I would prefer undocumented. It matches how we (don't) document the "command" option. I agree with little exception. I think it could be more clear if we write little documentation to commit message or to the code near the new option. But, how everybody wrote, we could leave man page without documentation. A new patch is attached. 0001-SSSD-Add-a-new-command-diag_cmd.patch From fb1b8c5fd9fbec475c036563640d7e320d526620 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek<jhro...@redhat.com> Date: Mon, 2 Nov 2015 11:41:31 +0100 Subject: [PATCH] SSSD: Add a new command diag_cmd This command is an optional one that is run when a sbus ping times out and before a SIGKILL commans is sent. This command supports a single template substitution that expands to the PID of the service being signaled. --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/SSSDConfigTest.py | 1 + src/config/etc/sssd.api.conf | 1 + src/monitor/monitor.c| 215 +++ 5 files changed, 197 insertions(+), 22 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 37b5fd7c7629e2618a1699e3ffd58110171db605..0ef7268f9cdc2c18482bbf7b8dbe19d3ef6b7bbf 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -71,6 +71,7 @@ #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" #define CONFDB_MONITOR_USER_RUNAS "user" +#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd" /* Both monitor and domains */ #define CONFDB_NAME_REGEX "re_expression" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index bf61c402796122050fa43cf41128faec4771c5d2..60129e6e7fbc96d11c539323346c22a7db6d7f23 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -50,6 +50,7 @@ option_strings = { 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), 'client_idle_timeout' : _('Idle time before automatic disconnection of a client'), +'diag_cmd' : _('The command to run when a service ping times out'), This is the reason why I ask for little documentation... because there is '%p' template shadowed. # [sssd] 'services' : _('SSSD Services to start'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 45562214da5d227b45914abbcb298e043048adf5..abd4a39258e060f27db62eb2352450b6c405930c 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -307,6 +307,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): '
Re: [SSSD] [PATCH] SSSD: Add a new command diag_cmd
On 11/04/2015 11:24 AM, Jakub Hrozek wrote: Hi, I created this patch to try to diagnose an issue where sssd would randomly restart on any of machines in a VM cluster without giving too much advise why. I think it might be useful to merge in general. Hi Jakub, I reviewed the patch. Code looks good to me. CI tests passed: http://sssd-ci.duckdns.org/logs/job/32/25/summary.html Then I tried to test new functionality. Man pages are right, I found diag_cmd in sssd.conf. And I really got the right message when I kill sss_pam: # (Mon Nov 9 04:30:47 2015) [sssd] [svc_child_info] (0x0040): Child [25767] terminated with signal [9] I would like to see output of pstack, but I don't know, how to get the right state of SSSD. Can you help me, please? Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 10/27/2015 09:42 AM, Petr Cech wrote: The removed tests were: * users_by_filter_valid * users_by_filter_multiple_domains_valid * groups_by_filter_valid * groups_by_filter_multiple_domains_valid Hello, another patch set is attached. This patch set covers groups_by_filter_valid by two new tests: * group_by_recent_filter_valid * groups_by_recent_filter_valid The first of them tests the recent filter. The second tests interface ability to return more groups. I looked at multiple_domains tests too. But I am afraid I misunderstood their purpose. Because users/groups are set with the same domains. I will look at it once again. Regards, Petr >From 9c2cf658b62734df71650b568bd1c6be6c4c6e43 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Sun, 1 Nov 2015 07:09:28 -0500 Subject: [PATCH 4/6] TEST: Add test_group_by_recent_filter_valid Test groups_by_filter_valid() was removed in past. We will add two new tests instead of it. Logic of those tests is connected to RECENT filter. It returns only records which have been wrote or updated after filter was created (or another given time). groups_by_filter_valid() --> group_by_recent_filter_valid() grous_by_recent_filter_valid() The first of new tests, group_by_recent_filter_valid(), counts with two groups. One is stored before filter request creation and the second group is stored after filter request creation. So filter returns only one group. The second of new tests, groups_by_recent_filter_valid(), counts with three users. One is stored before filter request creation and two groups are stored after filter request creation. So filter returns two groups. This patch adds group_by_recent_filter_valid(). Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 45 + 1 file changed, 45 insertions(+) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index e4fccdab883f267cced1cf2e9995bd9828242690..77bdde40917b576b2b97d92d9dc23900085a11ae 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1495,6 +1495,50 @@ static void cache_req_group_by_filter_test_done(struct tevent_req *req) ctx->tctx->done = true; } +void test_group_by_recent_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char *ldbname = NULL; +errno_t ret; + +test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +test_ctx->create_group = true; + +ret = sysdb_store_group(test_ctx->tctx->dom, TEST_GROUP_NAME2, +1001, NULL, 1001, time(NULL)); +assert_int_equal(ret, EOK); + +sleep(1); + +req_mem_ctx = talloc_new(global_talloc_context); +check_leaks_push(req_mem_ctx); + +/* Filters always go to DP */ +will_return(__wrap_sss_dp_get_account_send, test_ctx); +mock_account_recv_simple(); + +req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + test_ctx->tctx->dom->name, + "test*"); +assert_non_null(req); +tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + +ret = test_ev_loop(test_ctx->tctx); +assert_int_equal(ret, ERR_OK); +assert_true(check_leaks_pop(req_mem_ctx)); + +assert_non_null(test_ctx->result); +assert_int_equal(test_ctx->result->count, 1); + +ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_NAME, NULL); +assert_non_null(ldbname); +assert_string_equal(ldbname, TEST_GROUP_NAME); +} + void test_groups_by_filter_notfound(void **state) { struct cache_req_test_ctx *test_ctx = NULL; @@ -1615,6 +1659,7 @@ int main(int argc, const char *argv[]) new_single_domain_test(user_by_recent_filter_valid), new_single_domain_test(users_by_recent_filter_valid), +new_single_domain_test(group_by_recent_filter_valid), new_single_domain_test(users_by_filter_filter_old), new_single_domain_test(users_by_filter_notfound), -- 2.4.3 >From 4efa3966f20791d65c439ff450b473c6d9419eff Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Sun, 1 Nov 2015 07:21:18 -0500 Subject: [PATCH 5/6] TEST: Refactor of test_responder_cache_req.c We need little more in backroung of responder_cache_req tests. There will be tests which will use three test groups. This patch add support for it. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 20 +++- 1 file changed, 15 insertions(+), 5 deletio
Re: [SSSD] [PATCH] sudo: remove unused param name in sdap_sudo_get_usn()
On 11/02/2015 03:09 PM, Petr Cech wrote: On 11/02/2015 03:03 PM, Pavel Reichl wrote: Hello, please see simple patch attached. Thanks! LGTM, I am waiting for CI :-) Petr CI tests passed: http://sssd-ci.duckdns.org/logs/job/31/85/summary.html => ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sudo: remove unused param name in sdap_sudo_get_usn()
On 11/02/2015 03:03 PM, Pavel Reichl wrote: Hello, please see simple patch attached. Thanks! ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel LGTM, I am waiting for CI :-) Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Review of umask() in SSSD
On 10/21/2015 03:19 PM, Petr Cech wrote: On 10/12/2015 11:37 AM, Jakub Hrozek wrote: > From a15acee2495ee12190e711f3344e14c54fc73062 Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Wed, 7 Oct 2015 08:57:15 -0400 >Subject: [PATCH 10/11] KRB5_CHILD: More restrictive umask > >We could use more restrictive umask in krb5_child. I found out that >there is directory creation, but it is done by create_ccache_dir() >which has its own umask setup. > >Resolves: >https://fedorahosted.org/sssd/ticket/2424 >--- > src/providers/krb5/krb5_child.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c >index 69b7687188c04498f6ef7c10a1b5ca602daca8ef..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644 >--- a/src/providers/krb5/krb5_child.c >+++ b/src/providers/krb5/krb5_child.c >@@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) > #endif > > /* Set a restrictive umask, just in case we end up creating any file */ >-umask(SSS_DFL_X_UMASK); >+umask(SSS_DFL_UMASK); I think this change is OK, as you say, the directories might need the executable flag, but then the directory-creating code should make sure the permissions are more relaxed.. I checked it again. It is OK. btw I tested both FILE ccache: krb5_ccname_template =FILE:/tmp/ccache_%p.XX the result looked OK to me: # ll /tmp/ccache_ad...@ipa.test.KDaxgn -rw---. 1 admin admins 1041 Oct 12 09:14 /tmp/ccache_ad...@ipa.test.KDaxgn and DIR ccache: krb5_ccname_template = DIR:/tmp/ccaches/ccache_%p also looked good: # ll -d/tmp/ccaches/ drwx--. 3 admin admins 4096 Oct 12 09:31/tmp/ccaches/ # ll -d/tmp/ccaches/ccache_ad...@ipa.test/ drwx--. 2 admin admins 4096 Oct 12 09:31/tmp/ccaches/ccache_ad...@ipa.test/ # ll /tmp/ccaches/ccache_ad...@ipa.test -rw---. 1 admin admins 10 Oct 12 09:31 primary -rw---. 1 admin admins 1041 Oct 12 09:31 tktrg2WYD > > /* we create a new context here as the main process one may have been > * opened as root and contain possibly references (even open handles ?) >-- >2.4.3 > > From 6085c5ce86e6ba79f29d2c18f6fceca9bab5cecb Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Wed, 7 Oct 2015 09:32:12 -0400 >Subject: [PATCH 11/11] UTILS: Removing SSS_DFL_X UMASK constant 077 is still used in sss_unique_file(). So we can either use SSS_DFL_X umask there or convert to non-executable umask. Either way, I think it's OK to keep SSS_DFL_X even though it's unused right now for later use. It's just a constant. OK, SSS_DFL_X_UMASK is still here, but not used in code. sss_unique_file is used to generate kdcinfo files, where non-x would be OK because later we fchmod to 644 anyway: ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); ..and also used in gpo_cache_store_file() which uses the same pattern.. I rewrote DFL_X to DFL in sss_unique_file(). ...then also in sss_unique_filename() which is used to create dummy keytabs in ipa_server_trusted_dom_setup_1way(), handle_randomized() and ldap_child_get_tgt_sync(). Now: - ipa_server_trusted_dom_setup_1way() - safe to change, we only use it to get a unique filename, the contents are filled with ipa-getkeytab - handle_randomized() - safe to change, libkrb5 unlinks the unique file later, so we just really need the filename - ldap_child_get_tgt_sync() - ditto, only used as input for krb5_cc_resolve() The third patch is about redudant constant. And at the end, there are may uses of umask() in CI tests, which I leave how they are. They could be test relevant. Maybe I will touch it in some future patch. The last umask like constant is 644, which is connected to chmod(), open(), etc. Do we want to have a constant for it? Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel bump ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
On 11/04/2015 11:11 AM, Jakub Hrozek wrote: Hi, Sorry it took so long to get back to the review. I only have some minor comments, see inline.. Because the group patches are more or less equivalent, I'll just comment here. If you agree with the comments, please also change the group tests and resend in a single set. Thanks for the tests! > From e3dd543eec09f6e4386bfe6f1505538575fe5356 Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Fri, 2 Oct 2015 07:34:08 -0400 >Subject: [PATCH 1/3] TEST: Add test_user_by_recent_filter_valid > >Test users_by_filter_valid() was removed in past. We will add two new >tests instead of it. Logic of those tests is connected to RECENT >filter. It returns only records which have been wrote or updated after >filter was created (or another given time). > >users_by_filter_valid() --> user_by_recent_filter_valid() > users_by_recent_filter_valid() > >The first of new tests, user_by_recent_filter_valid(), counts with two >users. One is stored before filter request creation and the second user >is stored after filter request creation. So filter returns only one >user. > >The second of new tests, users_by_recent_filter_valid(), counts with >three users. One is stored before filter request creation and two users >are stored after filter request creation. So filter returns two users. > >This patch adds user_by_recent_filter_valid(). > >Resolves: >https://fedorahosted.org/sssd/ticket/2730 >--- > src/tests/cmocka/test_responder_cache_req.c | 50 + > 1 file changed, 50 insertions(+) > >diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c >index 744c8f4a8f7aa4e08f82aca5aea003438b5b59da..3379b17f7feea521966d6c8646afd9859a3c5255 100644 >--- a/src/tests/cmocka/test_responder_cache_req.c >+++ b/src/tests/cmocka/test_responder_cache_req.c >@@ -1239,6 +1239,53 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) > ctx->tctx->done = true; > } > >+void test_user_by_recent_filter_valid(void **state) >+{ >+struct cache_req_test_ctx *test_ctx = NULL; >+TALLOC_CTX *req_mem_ctx = NULL; >+struct tevent_req *req = NULL; >+const char *ldbname = NULL; >+errno_t ret; >+ >+test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); >+test_ctx->create_user = true; >+ >+ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001, >+ NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL, >+ NULL, 1000, time(NULL)); >+assert_int_equal(ret, EOK); >+ >+sleep(1); The purpose of the sleep() here is just to make sure the entry was created in the past, right? Would it be equally safe to create the user with timestamp time(NULL)-1 to make the test faster? >+ >+req_mem_ctx = talloc_new(test_ctx->tctx); >+check_leaks_push(req_mem_ctx); >+ >+/* Filters always go to DP */ >+will_return(__wrap_sss_dp_get_account_send, test_ctx); >+mock_account_recv_simple(); Can you add a comment that the TEST_USER is created with a DP callback here? >+ >+req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, >+test_ctx->rctx, >+test_ctx->tctx->dom->name, >+"test*"); It would read nicer if we had a constant TEST_USER_PREFIX "test_user" #defined, or even TEST_USER_FILTER with the asterist. >+assert_non_null(req); >+ >+tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); >+ >+ret = test_ev_loop(test_ctx->tctx); >+assert_int_equal(ret, ERR_OK); >+assert_true(check_leaks_pop(req_mem_ctx)); >+ >+assert_non_null(test_ctx->result); >+assert_int_equal(test_ctx->result->count, 1); >+ >+ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], >+ SYSDB_NAME, NULL); >+assert_non_null(ldbname); >+assert_string_equal(ldbname, TEST_USER_NAME); >+} > From c2e87544dfbc0667e1b935394d697322b34dddeb Mon Sep 17 00:00:00 2001 >From: Petr Cech<pc...@redhat.com> >Date: Tue, 27 Oct 2015 03:53:18 -0400 >Subject: [PATCH 2/3] TEST: Refactor of test_responder_cache_req.c > >We need little more in background of responder_cache_req tests. There >will be tests which will use three test users. This patch add support >for it. > >Resolves: >https://fedorahosted.org/sssd/ticket/2730 >--- > src/te
Re: [SSSD] [PATCH] TEST: recent_valid filter testing
ping ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Review of umask() in SSSD
On 10/04/2015 09:39 PM, Jakub Hrozek wrote: Finally, because I'm a lazy reviewer, I would prefer: - a patch that converts 0177 to DFL, with a comment around the macro definition that this is the default secure umask - a patch that converts 0077 to DFL_X, with a comment around DFL_X definition that unless executable bit is explicitly needed, DFL should be used - a patch per change if we need to tighten the existing umasks further. Hi Jakub, I put more care and expanded review of umask in several patches. Patch 0005-P11-CHILD-NSS was discussed with Sumit (thanks). I'd like to ask about any special care at patch 0010-KRB5-CHILD. I investigated it, but second look will be better. Regards Petr >From 97f8c14b58f29cf3ce341ead29f17204faa60f3d Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 5 Oct 2015 09:38:10 -0400 Subject: [PATCH 01/11] REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) There are many calls of umask function with 0177 argument. This patch add new constant SSS_DFL_UMASK which stands for 0177. So all occurences of umask(0177) (except responder code) are replaced by constant SSS_DFL_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/confdb/confdb.c | 2 +- src/util/debug.c| 2 +- src/util/server.c | 5 ++--- src/util/util.h | 3 +++ 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index d811f7cbf597db5c5ee5fa658c8864233da8f2e0..0f76a3d140ec832467c8382df088ac0e279207c0 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx, return EIO; } -old_umask = umask(0177); +old_umask = umask(SSS_DFL_UMASK); ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); umask(old_umask); diff --git a/src/util/debug.c b/src/util/debug.c index 69df54386101973548108c3194a1bfd111f046f0..bd13fdecdbd37da8e13ed492c115570657d2588c 100644 --- a/src/util/debug.c +++ b/src/util/debug.c @@ -362,7 +362,7 @@ int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec) if (debug_file && !filep) fclose(debug_file); -old_umask = umask(0177); +old_umask = umask(SSS_DFL_UMASK); errno = 0; f = fopen(logpath, "a"); if (f == NULL) { diff --git a/src/util/server.c b/src/util/server.c index 7e9b76f74ee5e76d2481eb425eff4811cc2e780e..036dace044c1e2c3efbb2411f39bdfd3f9616db4 100644 --- a/src/util/server.c +++ b/src/util/server.c @@ -490,9 +490,8 @@ int server_setup(const char *name, int flags, setup_signals(); -/* we want default permissions on created files to be very strict, - so set our umask to 0177 */ -umask(0177); +/* we want default permissions on created files to be very strict */ +umask(SSS_DFL_UMASK); if (flags & FLAGS_DAEMON) { DEBUG(SSSDBG_IMPORTANT_INFO, "Becoming a daemon.\n"); diff --git a/src/util/util.h b/src/util/util.h index f9fe1ca7189c6b2cdcb29f143005b20a2d969fee..9658d79fe9a0062b46188f2e7a97aaaebdeff29e 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -64,6 +64,9 @@ #define SSS_ATTRIBUTE_PRINTF(a1, a2) #endif +/** Default secure umask */ +#define SSS_DFL_UMASK 0177 + extern const char *debug_prg_name; extern int debug_level; extern int debug_timestamps; -- 2.4.3 >From eab27ab030d0efe44ae25e2313bbee40db5cc9d4 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 5 Oct 2015 09:51:20 -0400 Subject: [PATCH 02/11] REFACTOR: DFL_RSP_UMASK constant in responder code There is DFL_RSP_UMASK constant for very secure umask in responder code. This patch replaces occurances of value 0177 with this constant. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/responder/common/responder_common.c | 3 ++- src/responder/pam/pamsrv.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 2097004cb0fc24d8b356f9d924243f948227ef58..baaf0412b4a70537a2523a98ff33d8f34f194b47 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -690,7 +690,8 @@ static int set_unix_socket(struct resp_ctx *rctx) if (rctx->priv_sock_name != NULL ) { /* create privileged pipe */ if (rctx->priv_lfd == -1) { -ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, 0177); +ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, + DFL_RSP_UMASK); if (ret != EOK) { goto failed; } diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 3fe467c3cfc4c63b9c261065a17a54c20ea4a546..6ac770b7ac80676824cd572444359b96279902f7 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -396,7 +396,8 @@ i
Re: [SSSD] Review of umask() in SSSD
On 10/12/2015 11:37 AM, Jakub Hrozek wrote: On Wed, Oct 07, 2015 at 03:55:17PM +0200, Petr Cech wrote: On 10/04/2015 09:39 PM, Jakub Hrozek wrote: Finally, because I'm a lazy reviewer, I would prefer: - a patch that converts 0177 to DFL, with a comment around the macro definition that this is the default secure umask - a patch that converts 0077 to DFL_X, with a comment around DFL_X definition that unless executable bit is explicitly needed, DFL should be used - a patch per change if we need to tighten the existing umasks further. Hi Jakub, I put more care and expanded review of umask in several patches. Patch 0005-P11-CHILD-NSS was discussed with Sumit (thanks). I'd like to ask about any special care at patch 0010-KRB5-CHILD. I investigated it, but second look will be better. Regards Petr Thanks, this is much easier to review! From 97f8c14b58f29cf3ce341ead29f17204faa60f3d Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 5 Oct 2015 09:38:10 -0400 Subject: [PATCH 01/11] REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) There are many calls of umask function with 0177 argument. This patch add new constant SSS_DFL_UMASK which stands for 0177. So all occurences of umask(0177) (except responder code) are replaced by constant SSS_DFL_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- ACK From eab27ab030d0efe44ae25e2313bbee40db5cc9d4 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 5 Oct 2015 09:51:20 -0400 Subject: [PATCH 02/11] REFACTOR: DFL_RSP_UMASK constant in responder code There is DFL_RSP_UMASK constant for very secure umask in responder code. This patch replaces occurances of value 0177 with this constant. Resolves: https://fedorahosted.org/sssd/ticket/2424 ACK, but what do you think about changing the definition of DFL_RSP_UMASK to: #define DFL_RSP_UMASK SSS_DFL_UMASK Done. From 3c9b9d9046082b6a4b586d7bdd02c9ec1eee0749 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Mon, 5 Oct 2015 10:12:36 -0400 Subject: [PATCH 03/11] REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 ACK From 1cfd7467ac939e2d12c18f8852402ea9c3305379 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 6 Oct 2015 03:04:44 -0400 Subject: [PATCH 04/11] REFACTOR: SCKT_RSP_UMASK constant in responder code This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And it replaces all occurances in responder code. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/responder/common/responder.h| 4 src/responder/common/responder_common.c | 2 +- src/responder/pam/pamsrv.c | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 4d927cfe321bf3ad240b7c175568081ea73ab652..ef072d5c72371a7033f5462001c22471ccbf5abf 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -43,6 +43,10 @@ extern hash_table_t *dp_requests; * so set our umask to 0177 */ #define DFL_RSP_UMASK 0177 +/* Sockets must be readable and writable by anybody on the system. I would add "Public sockets" here, because we also have a private PAM socket that's only open for root: # ll /var/lib/sss/pipes/private/pam srw---. 1 root root 0 Oct 10 22:28 /var/lib/sss/pipes/private/pam Done. From 0a43a4febf56b8429d05dd448c5ee8800d1a8d21 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 6 Oct 2015 07:05:57 -0400 Subject: [PATCH 05/11] P11_CHILD_NSS: More restrictive permissions p11_child_nss runs as root and we must be carefull about security. This patch adds more restrictive permissions on it. There is no reason for 0077, so we use 0177 umask. Resolves: https://fedorahosted.org/sssd/ticket/2424 ACKed also by Sumit. From 820c4edd0cc0ba2a43d363cbbb79aab2fcad6b37 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 6 Oct 2015 07:57:17 -0400 Subject: [PATCH 06/11] UTILS: More restrictive permissions in domain_info There are two occurances of creating temp. file under SSS_DFL_X_UMASK permissions which enable possibility to grant executable permission. After writting to those temp. files, they are renamed and they get 0644 permissions. So SSS_DFL_UMASK is good enough fot this case. Resolves: https://fedorahosted.org/sssd/ticket/2424 ACK, I verified the permissions on domain mappings and krb5_localauth files is still 644: # ll /var/lib/sss/pubconf/krb5.include.d/ total 8 -rw-r--r--. 1 root root 387 Oct 12 09:06 domain_realm_ipa_test -rw-r--r--. 1
Re: [SSSD] [PATCH] SDAP: rem warning - sizelimit exceeded in POSIX check
Hi everyone, we just discussed 'function wrapper' topic offline. I agree that it is not ideal to add new parameter to the function. And I agree that in languages like C, we have return value model. On the other hand, we have clean code on our minds. So I think that wrappers like: # int func(a, b, c, d); # int func_with_warns(a,b,c,d); are better if we use func() very often. Why? The reason is that we look at func() as to something which do one thing or one thing with printing warnings. So we can quickly check if every occurrences are right or not. It could be confusing if we needed to check something like: # int ret; # ret = func(a,b,c,d); # if (ret != EOK) { # } # ... # if (ret == WARNS) { #LOG(...); # } Regards Petr PS: I didn't read the thread, so it is only my 2 cents. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate
On 09/03/2015 04:02 PM, Petr Cech wrote: I just updated the wiki pages. I will send another mail for it. But in this thread, I would like to note, what is exactly done. Original pages: [ 1] https://fedorahosted.org/sssd/wiki/Contribute [ 2] https://fedorahosted.org/sssd/wiki/DevelTips [ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials [ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs [ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle [ 6] https://fedorahosted.org/sssd/wiki/Repositories Content of [3] has been divided between [1] and [3], content of [5] has been divided between [1] and [4]. Then [3,5,6] will be deleted. There is a little mistake, content of [3] has been divided between [2,4] I just checked it. Test of new pages: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs UPDATE: [ 7] --> [ 1] [ 8] --> [ 2] [ 9] --> [ 4] Pages [7,8,9] exist still, but we could remove it. Pages [3,5,6] exist too, but I hope, no links target them. We could remove it too. I am sorry, but after this ticket I am blind on wiki. Could somebody check, that I did update properly? Thanks. Petr Hi, some time ago I edited wiki pages. The exact changes are described in the previous email. Today I erased the pages ([7,8,9] and [3,5,6]) that were marked for deletion. Its copies is attached. Regards Petr removed_wiki_pages.tar.gz Description: application/gzip remved_temp_pages.tar.gz Description: application/gzip ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
Hi! https://fedorahosted.org/sssd/ticket/2703 It's my first patch to this ticket. It is simple transforming of number of command to the string. Petr From ca782a1518480635ef60bc2cdf77d9b8644132b0 Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 8 Jul 2015 07:17:28 -0400 Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:(0x0400): Running command [17] with... We could see:(0x0400): Running command [SSS_NSS_GETPWNAM] with... Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/responder/nss/nsssrv_cmd.c | 29 +++--- src/sss_client/pam_sss.c | 7 +- src/tools/tools_mc_util.c | 4 +- src/util/sss_log.c | 215 + src/util/util.h| 4 + 5 files changed, 242 insertions(+), 17 deletions(-) diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 0129467302f16af3180a5be47ff2e235da65..421048ec71891b87f6be08efe41fa7c48c97cfaa 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1312,7 +1312,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx) case SSS_NSS_GETORIGBYNAME: break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n, + sss_cli_command_2string(cmd)); return EINVAL; } @@ -1347,8 +1348,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx) rawname = (const char *)body; -DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with input [%s].\n, - dctx-cmdctx-cmd, rawname); +DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with input [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd), rawname); if (dctx-cmdctx-cmd == SSS_NSS_GETSIDBYNAME) { ret = nss_check_name_of_well_known_sid(cmdctx, rawname); @@ -1737,7 +1738,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) case SSS_NSS_GETSIDBYID: break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n, + sss_cli_command_2string(cmd)); return EINVAL; } @@ -1766,8 +1768,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } SAFEALIGN_COPY_UINT32(cmdctx-id, body, NULL); -DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with id [%PRIu32].\n, - dctx-cmdctx-cmd, cmdctx-id); +DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with id [%PRIu32].\n, + sss_cli_command_2string(dctx-cmdctx-cmd), cmdctx-id); switch(dctx-cmdctx-cmd) { case SSS_NSS_GETPWUID: @@ -1805,8 +1807,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n, -dctx-cmdctx-cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd)); ret = EINVAL; goto done; } @@ -1851,8 +1853,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n, -dctx-cmdctx-cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd)); ret = EINVAL; } @@ -5172,7 +5174,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx) size_t bin_sid_length; if (cmd != SSS_NSS_GETNAMEBYSID cmd != SSS_NSS_GETIDBYSID) { -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n, + sss_cli_command_2string(cmd)); return EINVAL; } @@ -5214,8 +5217,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx) goto done; } -DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with SID [%s].\n, - dctx-cmdctx-cmd, sid_str); +DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with SID [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd), sid_str); cmdctx-secid = talloc_strdup(cmdctx, sid_str); if (cmdctx-secid == NULL) { diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index e4fa83e12c71bb05dd329686cf2d2df6323ff3bd..90fae56764854d7856b3ee327c18ab6608ff2f6d 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -43,6 +43,7 @@ #include pam_message.h #include util/atomic_io.h #include util/authtok-utils.h +#include util/util.h #include libintl.h #define _(STRING) dgettext (PACKAGE
Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
On 07/08/2015 02:46 PM, Pavel Reichl wrote: On 07/08/2015 02:13 PM, Petr Cech wrote: Hi! https://fedorahosted.org/sssd/ticket/2703 It's my first patch to this ticket. It is simple transforming of number of command to the string. Petr Hello Petr, thank for the patch! I haven't tested the patch yet, but I have some nitpicks. Please see inline. 0001-UTIL-Function-2string-for-enum-sss_cli_command.patch From ca782a1518480635ef60bc2cdf77d9b8644132b0 Mon Sep 17 00:00:00 2001 From: Petr Cechpc...@redhat.com Date: Wed, 8 Jul 2015 07:17:28 -0400 Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:(0x0400): Running command [17] with... We could see:(0x0400): Running command [SSS_NSS_GETPWNAM] with... Resolves: https://fedorahosted.org/sssd/ticket/2703 Is this the right ticket? Subject of the ticket is Need better libhbac debuging added to sssd but I don't think this patch relates to libhbac, right? Pavel, you're right, it is not the right ticket. I was looking to Improving the debug messages thread and I would like to start with small improvement. Logging messages could be more on user side. So I will create new ticket for it. --- src/responder/nss/nsssrv_cmd.c | 29 +++--- src/sss_client/pam_sss.c | 7 +- src/tools/tools_mc_util.c | 4 +- src/util/sss_log.c | 215 + src/util/util.h| 4 + 5 files changed, 242 insertions(+), 17 deletions(-) diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 0129467302f16af3180a5be47ff2e235da65..421048ec71891b87f6be08efe41fa7c48c97cfaa 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1312,7 +1312,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx) case SSS_NSS_GETORIGBYNAME: break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n, + sss_cli_command_2string(cmd)); return EINVAL; } I think that removing the number value might be a little too much. There might be people used to it. So I think that showing both might be the best option. Please see how we use 'sss_strerror' which is similar to your function. Are there other opinions? Thank you, I'll be inspired. @@ -1347,8 +1348,8 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx) rawname = (const char *)body; -DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with input [%s].\n, - dctx-cmdctx-cmd, rawname); +DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with input [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd), rawname); if (dctx-cmdctx-cmd == SSS_NSS_GETSIDBYNAME) { ret = nss_check_name_of_well_known_sid(cmdctx, rawname); @@ -1737,7 +1738,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) case SSS_NSS_GETSIDBYID: break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%s].\n, + sss_cli_command_2string(cmd)); return EINVAL; } @@ -1766,8 +1768,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } SAFEALIGN_COPY_UINT32(cmdctx-id, body, NULL); -DEBUG(SSSDBG_TRACE_FUNC, Running command [%d] with id [%PRIu32].\n, - dctx-cmdctx-cmd, cmdctx-id); +DEBUG(SSSDBG_TRACE_FUNC, Running command [%s] with id [%PRIu32].\n, + sss_cli_command_2string(dctx-cmdctx-cmd), cmdctx-id); switch(dctx-cmdctx-cmd) { case SSS_NSS_GETPWUID: @@ -1805,8 +1807,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n, -dctx-cmdctx-cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd)); ret = EINVAL; goto done; } @@ -1851,8 +1853,8 @@ static int nss_cmd_getbyid(enum sss_cli_command cmd, struct cli_ctx *cctx) } break; default: -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%d].\n, -dctx-cmdctx-cmd); +DEBUG(SSSDBG_CRIT_FAILURE, Invalid command [%s].\n, + sss_cli_command_2string(dctx-cmdctx-cmd)); ret = EINVAL; } @@ -5172,7 +5174,8 @@ static int nss_cmd_getbysid(enum sss_cli_command cmd, struct cli_ctx *cctx) size_t bin_sid_length; if (cmd != SSS_NSS_GETNAMEBYSID cmd != SSS_NSS_GETIDBYSID) { -DEBUG(SSSDBG_CRIT_FAILURE, Invalid command type [%d].\n, cmd); +DEBUG
[SSSD] [WIKI] Contribute and DevelTips are duplicate
Hi, I've read the wiki according to # https://fedorahosted.org/sssd/ticket/2706 and I think that it could be helpful clean the page # https://fedorahosted.org/sssd/wiki/DevelTutorials from git topic and create new page for everything related to git. The motivation is, that: * Contribute briefly describe whole process on basic level, * DevelTips looks like How To, * DevelTutorials are more about technologies, libraries, build process..., * So there could be one page for everything about git. NOTES how we could edit wiki: https://fedorahosted.org/sssd/wiki/Contribute Contribute Contribution Policy Source Code Repository /* * There could be only a link to the repo and * reference to New Git page. */ Tips and tricks for developers QA, Development and Bug Triage Development Repositories Localization and Internationalization Design Pages Credits Latest Documentation and Presentations https://fedorahosted.org/sssd/wiki/DevelTips SSSD Devel page Are there any introductory tutorials available? /* + Reference to the new Git page */ When I debug an SSSD process in a debugger, it always gets killed with … Using valgrind to identify memory access problems Using strace to track the SSSD processes How do I track work-in-progress of other developers? /* * Is it * still valid? * * I tried link * for jhrozek and * his sssd.git * and the url * doesn't exist. */ Why does make check take so long? Using clang to perform static analysis of source code When I compile the SSSD from source there is an error that says … https://fedorahosted.org/sssd/wiki/DevelTutorials /* * Label @new-git-page means * that I would like move given paragraph to the New git page */ Talloc Tevent and tevent_req Coding Style Code Contributions /* @new-git-page */ Getting the source /* @new-git-page */ Building SSSD for development and debugging Unit tests Submitting a patch upstream /* @new-git-page */ Patch metadata /* @new-git-page */ Translation Contributions Devel Tips New Git page /* Maybe Git Tips? */ + paragraph about git setup from Contribute-Source Code Repository + some paragraphs of DevelTutorials-Code Contributions I am looking forward your opinions. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
Hi! There is my repaired patch. All of yours comments were helpful. I renamed the function to sss_cmd2str(), but maybe it could be sss_cli_cmd2str(). I am not sure with it, but if it is better, I will rename it again. Petr On 07/08/2015 03:26 PM, Sumit Bose wrote: On Wed, Jul 08, 2015 at 02:13:42PM +0200, Petr Cech wrote: Hi! https://fedorahosted.org/sssd/ticket/2703 It's my first patch to this ticket. It is simple transforming of number of command to the string. Hi Petr, welcome and thank you for your first patch. Besides Pavel's suggestions I have some general comments as well. - There is pamcmd2str() which does a similar job for the backend code but I think it is becoming redundant with your patch. Can you remove this call and use your's where appropriate? - I haven't tested it, but I'm pretty sure that the PAM module pam_sss which is build from pam_sss.c and some other files is broken in debug mode with your patch because sss_log.c is not used when building it and hence sss_cli_command_2string() will be undefined. You do not see this during compilation or even during 'make check' because the 'D' macro is only evaluate if PAM_DEBUG is defined during compilation. If you run something like 'make CFLAGS+=-DPAM_DEBUG check' the dlopen test should fail with your patch. Since the PAM module pam_sss.so might be loaded by any kind of processes at runtime we try to keep it as simple as possible and try to add as few dependencies as possible. If you search the Makefile.am for pam_sss_la_SOURCES you will see that besides source files from the sss_client directory we only add atomic_io.c and authtok-utils.c which both contain only a single function with no special dependencies. I would suggest that you put sss_cli_command_2string() in a file on its own similar like atomic_io.c or authtok-utils.c. And add this file to pam_sss_la_SOURCES and libsss_debug_la_SOURCES in Makefile.am. I leave it up to you to decide what would be a good place for this file. The sss_client directory because the enum sss_cli_command is defined here as well or the util directory because the main usage for it is in the SSSD code and not in the pam_sss module. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel From 8b3ae05fc97f548256dc8b72863183b9dc9a539a Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Wed, 8 Jul 2015 07:17:28 -0400 Subject: [PATCH] UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:(0x0400): Running command [17]... We could see:(0x0400): Running command [17][SSS_NSS_GETPWNAM]... Resolves: https://fedorahosted.org/sssd/ticket/2703 --- Makefile.am | 4 +- src/providers/dp_pam_data_util.c | 27 + src/responder/nss/nsssrv_cmd.c | 30 +++--- src/sss_client/pam_sss.c | 6 +- src/tools/tools_mc_util.c| 4 +- src/util/sss_cli_cmd.c | 219 +++ src/util/sss_cli_cmd.h | 9 ++ src/util/sss_log.c | 2 - 8 files changed, 256 insertions(+), 45 deletions(-) create mode 100644 src/util/sss_cli_cmd.c create mode 100644 src/util/sss_cli_cmd.h diff --git a/Makefile.am b/Makefile.am index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..f16b8ebdb4dd66c2d193c19bd8355782f4de4c9a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -678,7 +678,8 @@ endif pkglib_LTLIBRARIES += libsss_debug.la libsss_debug_la_SOURCES = \ src/util/debug.c \ -src/util/sss_log.c +src/util/sss_log.c \ +src/util/sss_cli_cmd.c libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -2654,6 +2655,7 @@ pam_sss_la_SOURCES = \ src/sss_client/sss_cli.h \ src/util/atomic_io.c \ src/util/authtok-utils.c \ +src/util/sss_cli_cmd.c \ src/sss_client/sss_pam_macros.h \ src/sss_client/sss_pam_compat.h diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c index 8724bf936f3f46fb8393c8a3da57215a73b4191a..10e91f5f7286db5e76ad98b6c7519f2482d006db 100644 --- a/src/providers/dp_pam_data_util.c +++ b/src/providers/dp_pam_data_util.c @@ -23,33 +23,10 @@ */ #include providers/data_provider.h - +#include util/sss_cli_cmd.h #define PAM_SAFE_ITEM(item) item ? item : not set -static const char *pamcmd2str(int cmd) { -switch (cmd) { -case SSS_PAM_AUTHENTICATE: -return PAM_AUTHENTICATE; -case SSS_PAM_SETCRED: -return PAM_SETCRED; -case SSS_PAM_ACCT_MGMT: -return PAM_ACCT_MGMT; -case SSS_PAM_OPEN_SESSION: -return PAM_OPEN_SESSION; -case SSS_PAM_CLOSE_SESSION: -return PAM_CLOSE_SESSION; -case SSS_PAM_CHAUTHTOK: -return PAM_CHAUTHTOK; -case SSS_PAM_CHAUTHTOK_PRELIM: -return PAM_CHAUTHTOK_PRELIM; -case SSS_PAM_PREAUTH
Re: [SSSD] Code style -- for loop iterative variables initial declaration
On 08/28/2015 09:18 AM, Lukas Slebodnik wrote: On (28/08/15 09:03), Petr Cech wrote: Hi everyone, I would like to ask you what you think about the initialization of iterative variables in forloops. I know that present code style does not allow it. But how I recognized, we use C99, and this feature is here now. (example) Instead of:| |||# inti; # for(i =0;...)||| we could write: ||# for(inti =0;...)| ^ There is a synteax error; variable inti is not definded :-) s/inti/int i/ Sorry for typo. My mail client plays game with me. otherwise +1 and there are also precedents in sssd code. src/lib/sifp/sss_sifp_parser.c:434:for (unsigned int i = 0; src/providers/ipa/ipa_init.c:103:for (int i = 0; list[i]; i++) { src/tests/ipa_ldap_opt-tests.c:267:for (int i=0; i SDAP_OPTS_BASIC; i++) { src/tools/tools_mc_util.c:173:for (size_t i = 0; i steps_count; ++i) { src/util/domain_info_utils.c:74:for (int i=0; parent-sd_enumerate[i]; i++) { LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sss_override: document --debug options
On 08/28/2015 03:13 PM, Petr Cech wrote: I am doing code review for fixed patch now. Patch looks good to me and it works. I discussed the problem above (about fprintf vs. libpopt) with both offline. The libpopt solution starts here [1] and I agree it would not be straightforward. So I am inclined to the solution presented in the patch. Regards Petr [1] src/tools/sss_override.c:1412 PS: I am waiting for CI tests. CI: http://sssd-ci.duckdns.org/logs/job/23/84/summary.html Failing is not connected to this patch. = ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] sss_override: document --debug options
On 08/28/2015 12:25 PM, Pavel Březina wrote: I would be also curious why you need to provide hacks for printing argument description for autohelp. There is a much more elegant way how to do it with libpopt. (small hint POPT_ARGFLAG_DOC_HIDDEN in sss_tool_common_opts) Your curiosity is remarkable, though I have no idea why are you hinting this flag. because I cannot see a reason why we should write tool tip with fprintf if there is a way with libpopt. Because there is a way, but not an straight-forward and elegant way. Since there is only one option and the list is not likely to be extended, there is no problem with doing it this way. It's not a NACK but I do not like your solution so I will not ACK it either. You need to find someone else. I'm completely fine with this. LS I am doing code review for fixed patch now. Patch looks good to me and it works. I discussed the problem above (about fprintf vs. libpopt) with both offline. The libpopt solution starts here [1] and I agree it would not be straightforward. So I am inclined to the solution presented in the patch. Regards Petr [1] src/tools/sss_override.c:1412 PS: I am waiting for CI tests. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] TESTS: ldap_id_cleanup timeouts
On 08/27/2015 05:49 PM, Michal Židek wrote: I agree. Attached is the same patch that was already ACKed, just with the changed name and added const. Michal Yes, it is the same, with const. ACK again. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message
On 08/27/2015 01:26 PM, Lukas Slebodnik wrote: Petr, what do you think about small simplification. #include providers/data_provider_req.h +#define be_req_to_str(req_type, be_req_t) \ +((req_type) BE_REQ_FAST) \ +? FAST #be_req_t \ +: #be_req_t + const char *be_req2str(dbus_uint32_t req_type) { switch (req_type BE_REQ_TYPE_MASK) { case BE_REQ_USER: -return req_type BE_REQ_FAST ? - FAST BE_REQ_USER : BE_REQ_USER; +return be_req_to_str(req_type, BE_REQ_USER); case BE_REQ_GROUP: return req_type BE_REQ_FAST ? FAST BE_REQ_GROUP : BE_REQ_GROUP; The result of preprocessor is almost the same and code look little bit simpler. const char *be_req2str(dbus_uint32_t req_type) { switch (req_type 0x00FF) { case 0x0001: return ((req_type) 0x1000) ? FAST BE_REQ_USER : BE_REQ_USER; case 0x0002: return req_type 0x1000 ? FAST BE_REQ_GROUP : BE_REQ_GROUP; case 0x0003: return req_type 0x1000 ? FAST BE_REQ_INITGROUPS : BE_REQ_INITGROUPS; Feel free to rename macro; it's just a POC version. LS Thanks. There is improved patch attached. Petr From baf0f51e8444bb0862efe4347d245f0b01834cfc Mon Sep 17 00:00:00 2001 From: Petr Cech pc...@redhat.com Date: Tue, 18 Aug 2015 06:59:31 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 6 +++- src/providers/data_provider.h | 17 +-- src/providers/data_provider_be.c| 3 +- src/providers/data_provider_req.c | 58 + src/providers/data_provider_req.h | 51 src/responder/common/responder_dp.c | 4 +-- 6 files changed, 119 insertions(+), 20 deletions(-) create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h diff --git a/Makefile.am b/Makefile.am index f153ab0adf390880672a1681b386ea26426465cb..94920b29d7aab44085e401f8ada8555ab69fed6a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -446,7 +446,8 @@ SSSD_RESPONDER_OBJ = \ src/monitor/monitor_iface_generated.c \ src/monitor/monitor_iface_generated.h \ src/providers/data_provider_iface_generated.c \ -src/providers/data_provider_iface_generated.h +src/providers/data_provider_iface_generated.h \ +src/providers/data_provider_req.c SSSD_TOOLS_OBJ = \ src/tools/sss_sync_ops.c \ @@ -583,6 +584,7 @@ dist_noinst_HEADERS = \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ src/providers/data_provider.h \ +src/providers/data_provider_req.h \ src/providers/dp_backend.h \ src/providers/dp_dyndns.h \ src/providers/dp_ptask_private.h \ @@ -1193,6 +1195,7 @@ endif sssd_be_SOURCES = \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ @@ -1646,6 +1649,7 @@ simple_access_tests_SOURCES = \ src/providers/simple/simple_access.c \ src/providers/simple/simple_access_check.c \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -43,6 +43,7 @@ #include sbus/sbus_client.h #include sss_client/sss_cli.h #include util/authtok.h +#include providers/data_provider_req.h #include providers/data_provider_iface_generated.h #define DATA_PROVIDER_VERSION 0x0001 @@ -131,22 +132,6 @@ #define BE_FILTER_CERT 6 #define BE_FILTER_WILDCARD 7 -#define BE_REQ_USER 0x0001 -#define BE_REQ_GROUP 0x0002 -#define BE_REQ_INITGROUPS0x0003 -#define BE_REQ_NETGROUP 0x0004 -#define BE_REQ_SERVICES 0x0005 -#define BE_REQ_SUDO_FULL 0x0006 -#define BE_REQ_SUDO_RULES0x0007 -#define BE_REQ_AUTOFS0x0009 -#define BE_REQ_HOST 0x0010 -#define BE_REQ_BY_SECID 0x0011 -#define BE_REQ_USER_AND_GROUP 0x0012 -#define BE_REQ_BY_UUID 0x0013 -#define BE_REQ_BY_CERT 0x0014 -#define BE_REQ_TYPE_MASK 0x00FF -#define BE_REQ_FAST 0x1000 - #define DP_SEC_ID
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 08/24/2015 03:45 PM, Pavel Reichl wrote: On 07/24/2015 06:20 PM, Petr Cech wrote: From 2fcf13ef59f00b460afa77b27ef6cc2789b06393 Mon Sep 17 00:00:00 2001 From: Petr Cechpc...@redhat.com Date: Fri, 24 Jul 2015 10:56:49 -0400 Subject: [PATCH] [HBAC]: Better libhbac debuging s/debuging/debugging Fixed. Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/providers/ipa/hbac_evaluator.c | 146 + src/providers/ipa/ipa_access.c | 45 src/providers/ipa/ipa_hbac.exports | 3 +- src/providers/ipa/ipa_hbac.h | 23 ++ 4 files changed, 216 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..66d3512937702b5955f333c0c837807ee9e13deb 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -24,6 +24,8 @@ */ #include stdlib.h +#include stdio.h +#include stdarg.h #include string.h #include errno.h #include providers/ipa/ipa_hbac.h @@ -38,6 +40,41 @@ typedef int errno_t; #define EOK 0 #endif +/* HBAC logging system */ + +/* static pointer to external logging function */ +static void (*hbac_debug_fn)(const char *file, int line, enum hbac_debug_level, + const char *format, ...) = NULL; Do you think that introducing a new type using typedef for this type of callback would be more readable? Yes, I do. Fixed. + +/* setup function for external logging function */ +void hbac_enable_debug(void (*external_debug_fn)(const char *file, int line, + enum hbac_debug_level, const char *format, ...)) +{ +hbac_debug_fn = external_debug_fn; +} + +/* debug macro */ +#define HBAC_DEBUG(level, format, ...) do { \ +if (hbac_debug_fn != NULL) { \ +hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \ +} \ +} while (0) IMO macro should be defined after includes and before function definitions, but I haven't check if we are 100 % consistent about this in SSSD. Fixed. + +/* auxiliary function for hbac_request_element logging */ +static void hbac_request_element_debug_print(struct hbac_request_element *el, +const char *label); bad indentation Fixed. + +/* auxiliary function for hbac_eval_req logging */ +static void hbac_req_debug_print(struct hbac_eval_req *req); + +/* auxiliary function for hbac_rule_element logging */ +static void hbac_rule_element_debug_print(struct hbac_rule_element *el, + const char *label); + +/* auxiliary function for hbac_rule logging */ +static void hbac_rule_debug_print(struct hbac_rule *rule); + + /* Placeholder structure for future HBAC time-based * evaluation rules */ @@ -110,6 +147,9 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, struct hbac_eval_req *hbac_req, struct hbac_info **info) { +HBAC_DEBUG(HBAC_DBG_INFO, [ hbac_evaluate()); +hbac_req_debug_print(hbac_req); + We generally do not add any code before variable definitions, I understand that logging is kinda special, but I would prefer to add it after the definitions, do you agree? Fixed. enum hbac_error_code ret; enum hbac_eval_result result = HBAC_EVAL_DENY; enum hbac_eval_result_int intermediate_result; @@ -117,6 +157,7 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, if (info) { *info = malloc(sizeof(struct hbac_info)); if (!*info) { +HBAC_DEBUG(HBAC_DBG_ERROR, Out of memory.); return HBAC_EVAL_OOM; } (*info)-code = HBAC_ERROR_UNKNOWN; @@ -125,20 +166,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, uint32_t i; for (i = 0; rules[i]; i++) { +hbac_rule_debug_print(rules[i]); intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, ret); if (intermediate_result == HBAC_EVAL_UNMATCHED) { /* This rule did not match at all. Skip it */ +HBAC_DEBUG(HBAC_DBG_INFO, DISALLOWED by rule [%s]., + rules[i]-name); continue; } else if (intermediate_result == HBAC_EVAL_MATCHED) { /* This request matched an ALLOW rule * Set the result to ALLOW but continue checking * the other rules in case a DENY rule trumps it. */ +HBAC_DEBUG(HBAC_DBG_INFO, ALLOWED by rule [%s]., rules[i]-name); result = HBAC_EVAL_ALLOW; if (info) { (*info)-code = HBAC_SUCCESS; (*info)-rule_name = strdup(rules[i]-name
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 08/27/2015 10:42 AM, Pavel Reichl wrote: * SSSDBG_TRACE_ALL produces: ...hbac_evaluator.c:150] [< hbac_evaluate() ...hbac_evaluator.c:410] REQUEST: ...hbac_evaluator.c:391] service [sshd] ...hbac_evaluator.c:400] service_group (none) ...hbac_evaluator.c:391] user [csikos] ...hbac_evaluator.c:395] user_group: I think it could be useful to move user and might be user_group to less verbose level - I think it could be hard to navigate in less verbose logs otherwise, do you agree? ...hbac_evaluator.c:397] [ipausers] ...hbac_evaluator.c:391] targethost [albireo.cygnus.dev] ...hbac_evaluator.c:400] targethost_group (none) ...hbac_evaluator.c:391] srchost [192.168.122.106] ...hbac_evaluator.c:400] srchost_group (none) ...hbac_evaluator.c:417] request time Fri Jul 24 14:29:36 2015 ...hbac_evaluator.c:454] RULE [szabo_allowed] [ENABLED]: ...hbac_evaluator.c:456] services: ...hbac_evaluator.c:427] category [0] [NONE] ...hbac_evaluator.c:435] services_names (none) ...hbac_evaluator.c:440] services_groups: ...hbac_evaluator.c:442] [Sudo] ...hbac_evaluator.c:462] users: It was commented in previous mail. I agree. On 08/26/2015 09:44 AM, Petr Cech wrote: 0001-TESTS-Fixing-of-uninitialized-pointer.patch Nice catch! Ci passed. ACK to this patch Thanks. 0002-HBAC-Better-libhbac-debugging.patch From 75d97a5336e2b66d4bb187ce024ad9be9b2702b9 Mon Sep 17 00:00:00 2001 From: Petr Cech<pc...@redhat.com> Date: Fri, 24 Jul 2015 10:56:49 -0400 Subject: [PATCH 2/2] HBAC: Better libhbac debugging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/providers/ipa/hbac_evaluator.c | 149 + src/providers/ipa/ipa_access.c | 45 +++ src/providers/ipa/ipa_hbac.exports | 3 +- src/providers/ipa/ipa_hbac.h | 22 ++ 4 files changed, 218 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..976d5887baeecbb45d660c0de5ca54c914fc6367 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -24,6 +24,8 @@ */ #include +#include +#include Are these header files really needed? What do we need from them? I'm just asking as code seems to compile fine even without them. Amazingly, it works. The reason were things like ## __ VA_ARGS__ in new HBAC_DEBUG macro. #include #include #include "providers/ipa/ipa_hbac.h" @@ -38,6 +40,39 @@ typedef int errno_t; #define EOK 0 #endif +/* HBAC logging system */ + +/* debug macro */ +#define HBAC_DEBUG(level, format, ...) do { \ + if (hbac_debug_fn != NULL) { \ + hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \ + } \ +} while (0) + +/* static pointer to external logging function */ +static hbac_debug_fn_t hbac_debug_fn = NULL; + +/* setup function for external logging function */ +void hbac_enable_debug(hbac_debug_fn_t external_debug_fn) +{ + hbac_debug_fn = external_debug_fn; +} + +/* auxiliary function for hbac_request_element logging */ +static void hbac_request_element_debug_print(struct hbac_request_element *el, + const char *label); + +/* auxiliary function for hbac_eval_req logging */ +static void hbac_req_debug_print(struct hbac_eval_req *req); + +/* auxiliary function for hbac_rule_element logging */ +static void hbac_rule_element_debug_print(struct hbac_rule_element *el, + const char *label); + +/* auxiliary function for hbac_rule logging */ +static void hbac_rule_debug_print(struct hbac_rule *rule); + + /* Placeholder structure for future HBAC time-based * evaluation rules */ @@ -114,9 +149,13 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, enum hbac_eval_result result = HBAC_EVAL_DENY; enum hbac_eval_result_int intermediate_result; + HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()"); +hbac_req_debug_print(hbac_req); + if (info) { *info = malloc(sizeof(struct hbac_info)); if (!*info) { +HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory."); return HBAC_EVAL_OOM; } (*info)->code = HBAC_ERROR_UNKNOWN; @@ -125,20 +164,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, uint32_t i; for (i = 0; rules[i]; i++) { +hbac_rule_debug_print(rules[i]); intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, ); if (intermediate_result == HBAC_EVAL_UNMATCHED) { /* This rule did not match at all. Skip it */ +HBAC_DEBUG(HBAC_DBG_INFO, "DISALLOWED by rule [%s].", + rules[i]->name); continue; } else if (intermediate_re
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 08/31/2015 01:32 PM, Pavel Reichl wrote: 0x2000 (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x0100): [../src/providers/ipa/hbac_evaluator.c:152] [< hbac_evaluate() (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:409] REQUEST: (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:390] service [sshd] (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:399] service_group (none) (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:390] user [csikos] I think it would be useful to print this line (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:394] user_group: (Mon Aug 31 07:03:04 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:396] [ipausers] and this line even for debug_level 0x0100 But I don't insist. I won't delay patch for this. I would like to do it, but it is not so easy. New HBAC logging system provides two new levels. The first level goes throw all rules and it says if allows or disallows. The second writes all informations---about request, about each rules. The simple solution is compromis. I could switch all request information from level 2 to level 1. So we could have those informations, see attachement. Petr (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:407] REQUEST: (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:388] service [sshd] (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:397] service_group (none) (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:388] user [csikos] (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:392] user_group: (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:394] [ipausers] (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:388] targethost [albireo.cygnus.dev] (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:397] targethost_group (none) (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:388] srchost [192.168.122.106] (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:397] srchost_group (none) (Mon Aug 31 11:33:21 2015) [sssd[be[cygnus.dev]]] [hbac] (0x2000): [../src/providers/ipa/hbac_evaluator.c:417] request time 2015-08-31 11:33:21 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Code style -- for loop iterative variables initial declaration
On 08/31/2015 01:09 PM, Alexander Bokovoy wrote: On Mon, 31 Aug 2015, Lukas Slebodnik wrote: On (29/08/15 14:33), Alexander Bokovoy wrote: On Fri, 28 Aug 2015, Petr Cech wrote: Hi everyone, I would like to ask you what you think about the initialization of iterative variables in forloops. I know that present code style does not allow it. But how I recognized, we use C99, and this feature is here now. (example) Instead of:| |||# inti; # for(i =0;...)||| we could write: ||# for(inti =0;...)| I see an advantage in limiting the validity of such variables. That means higher code readability. Disadvantages I searched but did not find. What this misses is a use case of indexed searches where resulting index value is used beyond the loop itself. By changing context of variable declaration, you make variable inaccessible outside of the loop. I would say it's exactly the purpose of this proposal. To decrease scope of visibility so the index variable with short name cannot be misused for different purpose. Huh? There are valid cases where you search for an element and then use it further in the code. The index is what you get as the result of the search, not a reference to the element. Sometimes you need an element's reference but in many cases you need an index. Yes, I agree. There are different situations. Reducing scope is fine if you understand the context but claiming 'misuse' is a bit too much here. +1 I'd suggest adding this syntax recommendation to SSSD C coding style guidelines but add as well a bit of explanation on these two types of loop usage patterns. +1 Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] UTIL: Function 2string for enum sss_cli_command
On 08/31/2015 09:51 PM, Jakub Hrozek wrote: On Mon, Aug 31, 2015 at 06:33:52PM +0200, Jakub Hrozek wrote: On Thu, Aug 27, 2015 at 12:19:18PM +0200, Lukas Slebodnik wrote: ACK LS * master: 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a This patch broke distcheck: ../src/util/sss_cli_cmd.c -fPIC -DPIC -o src/util/.libs/sss_cli_cmd.o ../src/util/sss_cli_cmd.c:21:30: fatal error: util/sss_cli_cmd.h: No such file or directory #include "util/sss_cli_cmd.h" ^ Please fix ASAP.. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel I am sorry. There is a fix attached. Petr >From 93dbe494d14df22b6e33d100d40a3665a2990e56 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 1 Sep 2015 02:40:36 -0400 Subject: [PATCH] UTIL: Fixing Makefile.am for util/sss_cli_cmd.h Last patch for ticket 2708 broke make distcheck. This is fix. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile.am b/Makefile.am index d4504aba3cc233a8eae8c04d37c54208dad233c0..ac6221f3ca0b414bd4eeebfe4c66640e48b0da8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -520,6 +520,7 @@ dist_noinst_HEADERS = \ src/util/util_errors.h \ src/util/safe-format-string.h \ src/util/strtonum.h \ +src/util/sss_cli_cmd.h \ src/util/sss_endian.h \ src/util/sss_nss.h \ src/util/sss_ldap.h \ -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] Wiki pages updated
Hi, I just updated the wiki pages. I removed some duplicated and outdated info. I hope that the pages are now clearer. Petr PS: If you need more info, see thread "[SSSD] [WIKI] Contribute and DevelTips are duplicate". ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [WIKI] Contribute and DevelTips are duplicate
On 09/02/2015 05:47 PM, Jakub Hrozek wrote: On Wed, Sep 02, 2015 at 05:18:24PM +0200, Michal Židek wrote: On 08/17/2015 02:21 PM, Petr Cech wrote: On 07/17/2015 01:26 PM, Petr Cech wrote: Hi, I have read the wiki pages. And I have the edited version. It would be difficult to send the diff, so I started a new pages where you can view the result. Original pages: [ 1] https://fedorahosted.org/sssd/wiki/Contribute [ 2] https://fedorahosted.org/sssd/wiki/DevelTips [ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials [ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs [ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle [ 6] https://fedorahosted.org/sssd/wiki/Repositories Content of [3] has been divided between [1] and [3], content of [5] has been divided between [1] and [4]. Then [3,5,6] will be deleted. Test of new pages: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs Note that the links lead to the original pages. At [7] you can find "COPR Repository" section, but I am not sure with text here. Please look at it. I did not pass the whole wiki. I think there might be a link from [8] (perhaps [9]) on Troubleshooting. I look forward to your comments, I need the opinions of another persons. Petr Hi, a did some little edits according to talk with Jakub: * deleting Code Submission Process in Contribute * simplifying the structure of the headings in Contribute * adding link to tevent documentation in Devel tips * merging SSSD bug report and we would like to move link to COPR repo to the homepage (and add note about Ubuntu package, is it right?) So new version (without homepage and link to Ubuntu repo) is on the same place: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs Petr Hi! I think that Petr's changes to Wiki are improvement over the current state. He removes a lot of duplicated and outdated info. So if nobody objects I would like Petr to go ahead and replace the current pages with the new ones. Thank you very much for review, they looked good to me as well when we discussed the changes in person last time. Petr, please move the pages and then send a mail to the list about the update, we can always change more stuff or even roll back. I just updated the wiki pages. I will send another mail for it. But in this thread, I would like to note, what is exactly done. Original pages: [ 1] https://fedorahosted.org/sssd/wiki/Contribute [ 2] https://fedorahosted.org/sssd/wiki/DevelTips [ 3] https://fedorahosted.org/sssd/wiki/DevelTutorials [ 4] https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs [ 5] https://fedorahosted.org/sssd/wiki/BugLifecycle [ 6] https://fedorahosted.org/sssd/wiki/Repositories Content of [3] has been divided between [1] and [3], content of [5] has been divided between [1] and [4]. Then [3,5,6] will be deleted. Test of new pages: [ 7] https://fedorahosted.org/sssd/wiki/pcech_test_contribute [ 8] https://fedorahosted.org/sssd/wiki/pcech_test_devel_tips [ 9] https://fedorahosted.org/sssd/wiki/pcech_test_reporting_sssd_bugs UPDATE: [ 7] --> [ 1] [ 8] --> [ 2] [ 9] --> [ 4] Pages [7,8,9] exist still, but we could remove it. Pages [3,5,6] exist too, but I hope, no links target them. We could remove it too. I am sorry, but after this ticket I am blind on wiki. Could somebody check, that I did update properly? Thanks. Petr I have one comment: Does somebody know how to move the table of contents to the left? Currently it is in the upper right corner and I think (especially on bigger monitors) it is really not easy to spot. The table is IMO very important and gives good outline of what to expect from the page so I would really like to have it on the left nice and visible. I only found http://trac.edgewall.org/wiki/PageOutline about the macro. Also I like the idea of revisiting the wiki pages regularly in order to further improve them and keep them up-to-date. I think the overall navigation on our wiki has room for improvement, but we do not need to do everything at once. Hmm I guess I missed that how exactly are we going to update them regularly? (I agree we should, I'm just interested in the mechanics) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] Fix #2275 nested netgroups do not work in IPA provider
Hi, reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the problem for me. So is the original commit no longer valid? Regards, Petr >From 3a161789fc8ef82f4636e55369f4c5b04985f7c2 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Wed, 2 Sep 2015 11:51:12 -0400 Subject: [PATCH] Revert "netgroup: resolve hostgroup membership correctly" This reverts commit 5e9bc89b28f1ac3ce573ecdece74fe9623580c28. Ticket: https://fedorahosted.org/sssd/ticket/2275 --- src/providers/ipa/ipa_netgroups.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index db29d29ee8f18d3d963402c4811bdef43bae63dc..8a68ae41311a95d7489868c7d21b739886cf4eea 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -715,7 +715,7 @@ static bool extract_entities(hash_entry_t *entry, void *pvt) state = talloc_get_type(pvt, struct extract_state); member = talloc_get_type(entry->value.ptr, struct sysdb_attrs); -ret = sysdb_attrs_get_el(member, SYSDB_ORIG_MEMBEROF, ); +ret = sysdb_attrs_get_el(member, SYSDB_MEMBEROF, ); if (ret != EOK) return false; ret = sysdb_attrs_get_el(member, SYSDB_NAME, _el); -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider
On 09/04/2015 03:24 PM, Petr Cech wrote: On 09/03/2015 03:45 PM, Sumit Bose wrote: I tried both case. I used only originalMemberOf and I had right hostgroups, >no user groups. Then I used only memberOf and I had no hostgroups, right >user groups. > >So I did little hack, we could use both memberOf. The patch is attached and >it works for me. Hi Petr, thank you for the patch I haven't tested it yet. But I think I now understand the issue better. Currently we store the originalMemberOf attribute for users and hosts but not for POSIX/user groups (we do not even read it from LDAP). So an alternative fix might be to add memberOf attribute to the list of attribute read from LDAP for POSIX groups and save the result in originalMemberOf in the cache. The using only originalMemberOf should be sufficient for the netgroups lookup. Would you mind to try this? For a test is shoult de sufficient to add a line like { "ldap_group_member_of", "memberOf", SYSDB_MEMBEROF, NULL } to all 'struct sdap_attr_map *_group_map[]' lists and a corresponding entry to 'enum sdap_group_attrs'. bye, Sumit Hello Sumit, I tried your alternative way (thanks for it). Patch is attached. I added some lines like: # { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL } and it works for me. I hope that meaning of this patch is saving user/POSIX group memberOf attribute to originalMemberOf attribute. Regards, Petr And there is version with ticket number. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >From 0207fbc11e56efea8796b88e8fa449f82c4628fe Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 4 Sep 2015 09:09:25 -0400 Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership Informations about posix/user group membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. Netgroup membership process looks only into originalMemberOf. This patch adds saving of posix/user group memberOf attribute to originalMemberOf storage. Resolves: https://fedorahosted.org/sssd/ticket/2275 --- src/providers/ad/ad_opts.h | 1 + src/providers/ipa/ipa_opts.h | 1 + src/providers/ldap/ldap_opts.h | 3 +++ src/providers/ldap/sdap.h | 1 + 4 files changed, 6 insertions(+) diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 00586a7ada63ad4c89630e9589d3ff75d1726703..7917e8fc5e60ed27e7ed1248550d1e65d2d159d2 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -192,6 +192,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 78949e3ddec95f7f4303eab905bbbf6ec14ed6ae..9b5fdd138fbdf09f3d3662c011ea792f6272b7a6 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -180,6 +180,7 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 9f58db5bd9eef1391e97c1890cbff94c2a5406d6..db7bc560f430331462470b2825f6319dbaaf9141 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -156,6 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = { { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, { "ldap_us
Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider
On 09/03/2015 03:45 PM, Sumit Bose wrote: I tried both case. I used only originalMemberOf and I had right hostgroups, >no user groups. Then I used only memberOf and I had no hostgroups, right >user groups. > >So I did little hack, we could use both memberOf. The patch is attached and >it works for me. Hi Petr, thank you for the patch I haven't tested it yet. But I think I now understand the issue better. Currently we store the originalMemberOf attribute for users and hosts but not for POSIX/user groups (we do not even read it from LDAP). So an alternative fix might be to add memberOf attribute to the list of attribute read from LDAP for POSIX groups and save the result in originalMemberOf in the cache. The using only originalMemberOf should be sufficient for the netgroups lookup. Would you mind to try this? For a test is shoult de sufficient to add a line like { "ldap_group_member_of", "memberOf", SYSDB_MEMBEROF, NULL } to all 'struct sdap_attr_map *_group_map[]' lists and a corresponding entry to 'enum sdap_group_attrs'. bye, Sumit Hello Sumit, I tried your alternative way (thanks for it). Patch is attached. I added some lines like: # { "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL } and it works for me. I hope that meaning of this patch is saving user/POSIX group memberOf attribute to originalMemberOf attribute. Regards, Petr >From a5b0e35de6a9cb6e9e1881deaae9fa55701aa33a Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 4 Sep 2015 09:09:25 -0400 Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership Informations about posix/user group membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. Netgroup membership process looks only into originalMemberOf. This patch adds saving of posix/user group memberOf attribute to originalMemberOf storage. Resolves: https://fedorahosted.org/sssd/ticket/ --- src/providers/ad/ad_opts.h | 1 + src/providers/ipa/ipa_opts.h | 1 + src/providers/ldap/ldap_opts.h | 3 +++ src/providers/ldap/sdap.h | 1 + 4 files changed, 6 insertions(+) diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 00586a7ada63ad4c89630e9589d3ff75d1726703..7917e8fc5e60ed27e7ed1248550d1e65d2d159d2 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -192,6 +192,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 78949e3ddec95f7f4303eab905bbbf6ec14ed6ae..9b5fdd138fbdf09f3d3662c011ea792f6272b7a6 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -180,6 +180,7 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 9f58db5bd9eef1391e97c1890cbff94c2a5406d6..db7bc560f430331462470b2825f6319dbaaf9141 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -156,6 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = { { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL }, +{ "ldap_user_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL }, { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, { "ldap_user_objectsid", NULL, SYSDB_SID, NULL }, { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, @@ -212,6 +213,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = { { "ldap_user_principal", "krbPrincip
Re: [SSSD] [PATCH] UTIL: Alternative way for debug message initialisation
On 09/08/2015 03:31 PM, Lukas Slebodnik wrote: I would rather used option d) than option a). (Do not change anything) Option b) does not require namespacing, because it is a local macro. Option c) is the most readable, but there is a collision with gnu gettext. So it cannot be used. LS Only my 2 cents: Isn't compile time check really important feature? Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider
On 09/03/2015 08:18 AM, Jakub Hrozek wrote: On Thu, Sep 03, 2015 at 06:15:24AM +0200, Lukas Slebodnik wrote: On (02/09/15 18:06), Petr Cech wrote: Hi, reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the problem for me. So is the original commit no longer valid? I'm little bit worried about reverting this patch. Did you test the bug which was fixed by this commit. @see https://fedorahosted.org/sssd/ticket/1519 Thanks. Tested. We need both patches (because user groups are in memberOf and host groups are in orig_memberOf). Simple, I will do it. Is it OK that freeIPA use two kind of memberOf? The author of the patch could help, too :-) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider
On 09/03/2015 10:08 AM, Sumit Bose wrote: On Thu, Sep 03, 2015 at 09:54:51AM +0200, Jakub Hrozek wrote: On Thu, Sep 03, 2015 at 09:31:07AM +0200, Petr Cech wrote: On 09/03/2015 08:18 AM, Jakub Hrozek wrote: On Thu, Sep 03, 2015 at 06:15:24AM +0200, Lukas Slebodnik wrote: On (02/09/15 18:06), Petr Cech wrote: Hi, reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the problem for me. So is the original commit no longer valid? I'm little bit worried about reverting this patch. Did you test the bug which was fixed by this commit. @see https://fedorahosted.org/sssd/ticket/1519 Thanks. Tested. We need both patches (because user groups are in memberOf and host groups are in orig_memberOf). Simple, I will do it. Is it OK that freeIPA use two kind of memberOf? It does not. In FreeIPA LDAP there should only be memberOf (check it out with openldap). What is happening is that we internally store IPA's memberof value as originalMemberOf and our memberof points to cached objects. yes and since we (so far) only store POSIX groups (user groups) in the SSSD cache memberOf will only point to user groups. But as Jakub said originalMemberOf should contain all memberOf attributres from the related IPA LDAP object. Hence I would expect that originalMemberOf will have a complete list of memberships with both user and host groups. bye, Sumit I tried both case. I used only originalMemberOf and I had right hostgroups, no user groups. Then I used only memberOf and I had no hostgroups, right user groups. So I did little hack, we could use both memberOf. The patch is attached and it works for me. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >From 7ee4be91c40210e6671bb66098936261550e4fef Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Wed, 2 Sep 2015 11:51:12 -0400 Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership Informations about usergroup membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. This patch add both, memberOf and originalMemberOf, attributes for searching in. Ticket: https://fedorahosted.org/sssd/ticket/2275 --- src/providers/ipa/ipa_netgroups.c | 30 ++ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index db29d29ee8f18d3d963402c4811bdef43bae63dc..07338a6ba94ccdfbe18dc359d8249bf6fd3d05d6 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -704,9 +704,9 @@ struct extract_state { int entries_count; }; -static bool extract_entities(hash_entry_t *entry, void *pvt) +static bool extract_entity(hash_entry_t *entry, const char* attr, void *pvt) { -int i, ret; +int ret; struct extract_state *state; struct sysdb_attrs *member; struct ldb_message_element *el; @@ -715,22 +715,25 @@ static bool extract_entities(hash_entry_t *entry, void *pvt) state = talloc_get_type(pvt, struct extract_state); member = talloc_get_type(entry->value.ptr, struct sysdb_attrs); -ret = sysdb_attrs_get_el(member, SYSDB_ORIG_MEMBEROF, ); -if (ret != EOK) return false; +ret = sysdb_attrs_get_el(member, attr, ); +if (ret != EOK) { +return false; +} ret = sysdb_attrs_get_el(member, SYSDB_NAME, _el); if (ret != EOK || name_el == NULL || name_el->num_values == 0) { return false; } -for (i = 0; i < el->num_values; i++) { -if (strcmp((char *)el->values[i].data, state->group) == 0) { - -state->entries = talloc_realloc(state, state->entries, const char *, +for (int j = 0; j < el->num_values; j++) { +if (strcmp((char *)el->values[j].data, state->group) == 0) { +state->entries = talloc_realloc(state, state->entries, +const char *, state->entries_count + 1); if (state->entries == NULL) { return false; } + state->entries[state->entries_count] = (char *)name_el->values[0].data; state->entries_count++; break; @@ -740,6 +743,17 @@ static bool extract_entities(hash_entry_t *entry, void *pvt) return true; } +static bool extract_entities(hash_entry_t *entry, void *pvt) +{ +bool ret1 = false; +bool ret2 = false; + +ret1 = extract_entity(entry, SYSDB_ORIG_MEMBEROF, pvt); +ret2 = extract_entity(entry, SYSDB_MEMBEROF, pvt); + +return ret1 || ret2; +} + static int extr
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 09/01/2015 11:00 AM, Pavel Reichl wrote: From 6b1c6cac7123e78a2c55c51019b66a6bcf97ec29 Mon Sep 17 00:00:00 2001 From: Petr Cech<pc...@redhat.com> Date: Fri, 24 Jul 2015 10:56:49 -0400 Subject: [PATCH 2/2] HBAC: Better libhbac debugging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/providers/ipa/hbac_evaluator.c | 152 + src/providers/ipa/ipa_access.c | 49 src/providers/ipa/ipa_hbac.exports | 3 +- src/providers/ipa/ipa_hbac.h | 22 ++ 4 files changed, 225 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index f40f9e0a7f16f5e012079c637b89c8e49ec5d15b..6f236058a4a9711cf9bfba1db1447789bbb2d4b5 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -38,6 +38,39 @@ typedef int errno_t; #define EOK 0 #endif +/* HBAC logging system */ + +/* debug macro */ +#define HBAC_DEBUG(level, format, ...) do { \ +if (hbac_debug_fn != NULL) { \ +hbac_debug_fn(__FILE__, __LINE__, level, format, ##__VA_ARGS__); \ +} \ +} while (0) + +/* static pointer to external logging function */ +static hbac_debug_fn_t hbac_debug_fn = NULL; + +/* setup function for external logging function */ +void hbac_enable_debug(hbac_debug_fn_t external_debug_fn) +{ +hbac_debug_fn = external_debug_fn; +} + +/* auxiliary function for hbac_request_element logging */ +static void hbac_request_element_debug_print(struct hbac_request_element *el, + const char *label); + +/* auxiliary function for hbac_eval_req logging */ +static void hbac_req_debug_print(struct hbac_eval_req *req); + +/* auxiliary function for hbac_rule_element logging */ +static void hbac_rule_element_debug_print(struct hbac_rule_element *el, + const char *label); + +/* auxiliary function for hbac_rule logging */ +static void hbac_rule_debug_print(struct hbac_rule *rule); + + /* Placeholder structure for future HBAC time-based * evaluation rules */ @@ -114,9 +147,13 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, enum hbac_eval_result result = HBAC_EVAL_DENY; enum hbac_eval_result_int intermediate_result; +HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n"); +hbac_req_debug_print(hbac_req); + if (info) { *info = malloc(sizeof(struct hbac_info)); if (!*info) { +HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); return HBAC_EVAL_OOM; } (*info)->code = HBAC_ERROR_UNKNOWN; @@ -125,20 +162,25 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, uint32_t i; I know that you haven't changed this code, but could you move the definition of i into for cycle or to he beginning of the block? Fixed. for (i = 0; rules[i]; i++) { +hbac_rule_debug_print(rules[i]); intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, ); if (intermediate_result == HBAC_EVAL_UNMATCHED) { /* This rule did not match at all. Skip it */ +HBAC_DEBUG(HBAC_DBG_INFO, "DISALLOWED by rule [%s].\n", + rules[i]->name); I think this log message is wrong. Rule did not match - it was not relevant for this user, host or service. There are no deny rules. "The rule [%s] did not match" is fine by me, do you agree? Fixed. continue; } else if (intermediate_result == HBAC_EVAL_MATCHED) { /* This request matched an ALLOW rule * Set the result to ALLOW but continue checking * the other rules in case a DENY rule trumps it. */ +HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", rules[i]->name); result = HBAC_EVAL_ALLOW; if (info) { (*info)->code = HBAC_SUCCESS; (*info)->rule_name = strdup(rules[i]->name); if (!(*info)->rule_name) { +HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); result = HBAC_EVAL_ERROR; (*info)->code = HBAC_ERROR_OUT_OF_MEMORY; } @@ -146,6 +188,9 @@ enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, break; } else { /* An error occurred processing this rule */ +HBAC_DEBUG(HBAC_DBG_ERROR, + "Error occurred during evaluating of rule [%s].\n", + rules[i]->name); result = HBAC_EVAL_ERROR; if (info) {
Re: [SSSD] [PATCH] sss_override: document --debug options
On 08/25/2015 01:00 PM, Pavel Březina wrote: https://fedorahosted.org/sssd/ticket/2758 Hi Pavel, I have 3 formal comments to coding style. Now I am running the tests. I will send you mail with results soon. Petr 0001-sss_override-document-debug-options.patch From f181b0a94863f082abaf074a0940e83fbf1c89b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=pbrez...@redhat.com Date: Tue, 25 Aug 2015 12:58:45 +0200 Subject: [PATCH] sss_override: document --debug options Resolves: https://fedorahosted.org/sssd/ticket/2758 --- src/man/sss_override.8.xml | 18 +- src/tools/common/sss_tools.c | 25 + 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml index d289f5b7dfa7fbd328831b4c71d45b4c555225cf..3db8cbe05322ddf662faaa4810cd3bf6b25f8883 100644 --- a/src/man/sss_override.8.xml +++ b/src/man/sss_override.8.xml @@ -38,7 +38,7 @@ all local overrides are lost. /para /refsect1 - + There are 4 trailing white spaces. refsect1 id='commands' titleAVAILABLE COMMANDS/title para @@ -189,6 +189,22 @@ /varlistentry /variablelist /refsect1 + There are 4 trailing white spaces too. +refsect1 id='options' +titleCOMMON OPTIONS/title +para +Those options are available with all commands. +/para +variablelist remap='IP' +varlistentry +term +option-d/option,option--debug/option +replaceableLEVEL/replaceable +/term +xi:include xmlns:xi=http://www.w3.org/2001/XInclude; href=include/debug_levels.xml / +/varlistentry +/variablelist +/refsect1 xi:include xmlns:xi=http://www.w3.org/2001/XInclude; href=include/seealso.xml / diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c index 6bbce3a25c0b23ebc108a917a38e94981b65..3e732a3411494262ea34a1e5c332e86f5128e771 100644 --- a/src/tools/common/sss_tools.c +++ b/src/tools/common/sss_tools.c @@ -36,6 +36,13 @@ struct sss_cmdline { const char **argv; }; +static void sss_tool_print_common_opts(void) +{ +fprintf(stderr, _(Common options:\n)); +fprintf(stderr, -d, --debug=INT%s\n, +_(Enable debug at level)); I'm not sure, but is it habbit to indent to '('? I mean: || +fprintf(stderr, -d, --debug=INT%s\n, || +_(Enable debug at level)); +} + static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, int *argc, const char **argv) { @@ -201,6 +208,9 @@ int sss_tool_usage(const char *tool_name, fprintf(stderr, * %s\n, commands[i].command); } +fprintf(stderr, _(\n)); +sss_tool_print_common_opts(); + return EXIT_FAILURE; } @@ -237,6 +247,13 @@ int sss_tool_route(int argc, const char **argv, return sss_tool_usage(argv[0], commands); } +static void sss_tool_popt_print_help(poptContext pc) +{ +poptPrintHelp(pc, stderr, 0); +fprintf(stderr, \n); +sss_tool_print_common_opts(); +} + int sss_tool_popt_ex(struct sss_cmdline *cmdline, struct poptOption *options, enum sss_tool_opt require_option, @@ -286,7 +303,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline, } else { fprintf(stderr, _(Invalid option %s: %s\n\n), poptBadOption(pc, 0), poptStrerror(ret)); -poptPrintHelp(pc, stderr, 0); +sss_tool_popt_print_help(pc); ret = EXIT_FAILURE; goto done; } @@ -297,7 +314,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline, *_fopt = poptGetArg(pc); if (*_fopt == NULL) { fprintf(stderr, _(Missing option: %s\n\n), fopt_help); -poptPrintHelp(pc, stderr, 0); +sss_tool_popt_print_help(pc); ret = EXIT_FAILURE; goto done; } @@ -305,7 +322,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline, /* No more arguments expected. If something follows it is an error. */ if (poptGetArg(pc)) { fprintf(stderr, _(Only one free argument is expected!\n\n)); -poptPrintHelp(pc, stderr, 0); +sss_tool_popt_print_help(pc); ret = EXIT_FAILURE; goto done; } @@ -315,7 +332,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline, if (require_option == SSS_TOOL_OPT_REQUIRED ((_fopt != NULL cmdline-argc 2) || cmdline-argc 1)) { fprintf(stderr, _(At least one option is required!\n\n)); -poptPrintHelp(pc, stderr, 0); +sss_tool_popt_print_help(pc); ret = EXIT_FAILURE; goto done; } -- 2.1.0
Re: [SSSD] [PATCH] sss_override: document --debug options
On 08/25/2015 01:36 PM, Pavel Březina wrote: +static void sss_tool_print_common_opts(void) +{ +fprintf(stderr, _(Common options:\n)); +fprintf(stderr, -d, --debug=INT%s\n, +_(Enable debug at level)); I'm not sure, but is it habbit to indent to '('? I mean: || +fprintf(stderr, -d, --debug=INT%s\n, || +_(Enable debug at level)); I tend to indent to format specifier if possible, so format and data remains together. OK. I was install it, everything is right. http://sssd-ci.duckdns.org/logs/job/23/76/summary.html ACK Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] DATA_PROVIDER: BE_REQ as string in log message
On 09/04/2015 04:32 PM, Pavel Reichl wrote: On 08/28/2015 04:31 PM, Petr Cech wrote: + "Got request for [%#x][%s][%d][%s]\n", type, be_req2str(type), + attr_type, filter); Petr do you think it could be useful to print attr_type as a string? We talked about it offline. It seems to be only value type, nothing important. But there is a new rebased patch, because development you cannot stop. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >From bb50f8cc4c50a68c0046e768b721e24d37752813 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 18 Aug 2015 06:59:31 -0400 Subject: [PATCH] DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 --- Makefile.am | 5 +++- src/providers/data_provider.h | 17 +-- src/providers/data_provider_be.c| 3 +- src/providers/data_provider_req.c | 58 + src/providers/data_provider_req.h | 51 src/responder/common/responder_dp.c | 4 +-- 6 files changed, 118 insertions(+), 20 deletions(-) create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h diff --git a/Makefile.am b/Makefile.am index 851f943a4c57b70cee4f4f34e83457e7d204aff1..dc0670a5c720ab58a47e7da356578256b4659695 100644 --- a/Makefile.am +++ b/Makefile.am @@ -449,7 +449,8 @@ SSSD_RESPONDER_OBJ = \ src/monitor/monitor_iface_generated.c \ src/monitor/monitor_iface_generated.h \ src/providers/data_provider_iface_generated.c \ -src/providers/data_provider_iface_generated.h +src/providers/data_provider_iface_generated.h \ +src/providers/data_provider_req.c SSSD_TOOLS_OBJ = \ src/tools/sss_sync_ops.c \ @@ -587,6 +588,7 @@ dist_noinst_HEADERS = \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ src/providers/data_provider.h \ +src/providers/data_provider_req.h \ src/providers/dp_backend.h \ src/providers/dp_dyndns.h \ src/providers/dp_ptask_private.h \ @@ -1201,6 +1203,7 @@ endif sssd_be_SOURCES = \ src/providers/data_provider_be.c \ +src/providers/data_provider_req.c \ src/providers/data_provider_fo.c \ src/providers/data_provider_opts.c \ src/providers/data_provider_callbacks.c \ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 510c63ce41c99314ec8fcf11fffb2e66082e8951..39051b90c3aad96f62dcbb86a20bcfd8c954879b 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -43,6 +43,7 @@ #include "sbus/sbus_client.h" #include "sss_client/sss_cli.h" #include "util/authtok.h" +#include "providers/data_provider_req.h" #include "providers/data_provider_iface_generated.h" #define DATA_PROVIDER_VERSION 0x0001 @@ -131,22 +132,6 @@ #define BE_FILTER_CERT 6 #define BE_FILTER_WILDCARD 7 -#define BE_REQ_USER 0x0001 -#define BE_REQ_GROUP 0x0002 -#define BE_REQ_INITGROUPS0x0003 -#define BE_REQ_NETGROUP 0x0004 -#define BE_REQ_SERVICES 0x0005 -#define BE_REQ_SUDO_FULL 0x0006 -#define BE_REQ_SUDO_RULES0x0007 -#define BE_REQ_AUTOFS0x0009 -#define BE_REQ_HOST 0x0010 -#define BE_REQ_BY_SECID 0x0011 -#define BE_REQ_USER_AND_GROUP 0x0012 -#define BE_REQ_BY_UUID 0x0013 -#define BE_REQ_BY_CERT 0x0014 -#define BE_REQ_TYPE_MASK 0x00FF -#define BE_REQ_FAST 0x1000 - #define DP_SEC_ID "secid" #define DP_CERT "cert" /* sizeof() counts the trailing \0 so we must substract 1 for the string diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index d147630248f0a24f5a632760b55b9284a6928e40..d71a69cb8e2997975828236998ec0b0e3f353f07 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -1104,7 +1104,8 @@ static int be_get_account_info(struct sbus_request *dbus_req, void *user_data) return EOK; /* handled */ DEBUG(SSSDBG_FUNC_DATA, - "Got request for [%#x][%d][%s]\n", type, attr_type, filter); + "Got request for [%#x][%s][%d][%s]\n", type, be_req2str(type), + attr_type, filter); /* If we are offline and fast reply was requested * return offline immediately diff --git a/src/providers/data_provider_req.c b/src/providers/data_provider_req.c
[SSSD] Review of umask() in SSSD
Hi, I am reviewing umask() in our code according to https://fedorahosted.org/sssd/ticket/2424 There are many use like umask(DFL_RSP_UMASK): src/responder/autofs/autofssrv.c:223 src/responder/ifp/ifpsrv.c:401 src/responder/nss/nsssrv.c:589 src/responder/pac/pacsrv.c:232 src/responder/pam/pamsrv.c:369 src/responder/ssh/sshsrv.c:209 src/responder/sudo/sudosrv.c:215 where DFL_RSP_UMASK is defined as 0177. There are another three use of umask 0177: src/confdb/confdb.c:662 src/util/debug.c:365 src/util/server.c:495 And then I see many use of umask 077: src/p11_child/p11_child_nss.c:485 src/providers/krb5/krb5_child.c:723 src/tests/check_and_open-tests.c:51 src/tests/debug-tests.c:136 src/tests/debug-tests.c:276 src/tests/util-tests.c:596 src/util/domain_info_utils.c:312 src/util/domain_info_utils.c:562 src/tools/tools_util.c:503 I would like to ask you if we would like to use 0077 or 0177 as our very restrictive mask. I see that our code is not consistent on this question. I know the difference is small, but it is. Then we have some unsecure use: src/providers/ipa/selinux_child.c:154: umask = 0 src/providers/krb5/krb5_ccache.c:188:umask = src/responder/nss/nsssrv_mmap_cache.c:1121: umask = 0022 but I think there is reason for it. And the last one is at src/responder/common/responder_common.c:561: int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval) We use it secure (0177) at: src/responder/common/responder_common.c:693 src/responder/pam/pamsrv.c:399 And not so secure: src/responder/common/responder_common.c:670 umask = 0111 src/responder/pam/pamsrv.c:391 umask = 0111 src/tests/cwrap/test_responder_common.c:173 umask = 0111 src/tests/cwrap/test_responder_common.c:179 umask = So, what could I do? Maybe we could have only one very secure umask and maybe we could have CONSTANT for every use of umask. Any another ideas? Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on
Hi, patch for https://fedorahosted.org/sssd/ticket/2493 is attached. Petr >From 1d87d8dd390c229ac603569a604d9cca656c3f1b Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Thu, 10 Sep 2015 10:05:59 -0400 Subject: [PATCH] DEBUG: Preventing chown_debug_file if journald on There is function chown_debug_file() which didn't check if the SSSD is compiled with journald support. This patch add simple checking of this state. Resolves: https://fedorahosted.org/sssd/ticket/2493 --- src/util/debug.c | 4 1 file changed, 4 insertions(+) diff --git a/src/util/debug.c b/src/util/debug.c index 69df54386101973548108c3194a1bfd111f046f0..70d136dbfc996a4bcbd246861c55c6eba7a5b65b 100644 --- a/src/util/debug.c +++ b/src/util/debug.c @@ -316,6 +316,8 @@ int chown_debug_file(const char *filename, const char *log_file; errno_t ret; +#ifndef WITH_JOURNALD + if (filename == NULL) { log_file = debug_log_file; } else { @@ -336,6 +338,8 @@ int chown_debug_file(const char *filename, return ret; } +#endif /* WITH_JOURNALD */ + return EOK; } -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 09/11/2015 05:24 PM, Lukas Slebodnik wrote: --- a/src/providers/ipa/ipa_hbac.exports >+++ b/src/providers/ipa/ipa_hbac.exports >@@ -1,4 +1,4 @@ >-IPA_HBAC_0.0.1 { >+IPA_HBAC_0.0.2 { > > # public functions > global: >@@ -8,6 +8,7 @@ IPA_HBAC_0.0.1 { > hbac_error_string; > hbac_free_info; > hbac_rule_is_complete; >+hbac_enable_debug; This change is not correct. new functions should not be added to the the existing version which was released. You also forgot to update version-info for library. @see more details about version script files in the thread which introduced them to sssd https://lists.fedorahosted.org/pipermail/sssd-devel/2014-July/019693.html On Thu, Jun 26, 2014 at 10:31:27AM +0200, Lukas Slebodnik wrote: >ehlo, > >attached patch fixes ticket #2194. > >If you wan to know more about version script (version maps) here are links: > >http://people.redhat.com/drepper/dsohowto.pdf > (sections 2.2.5 .. 2.2.7, 3.4, 3.5) >https://www.gnu.org/software/gnulib/manual/html_node/LD-Version-Scripts.html >ftp://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_25.html BTW all these links were provided off the lists few weeks ago. and for symplification attached is a patch which shoudl be squashed to your 2nd patch:-) LS Hello Lukas, thanks for comment and for patch too. I attached fixed patch. Petr 0001-squash_me.patch From 4246d5cd91c4c34b8524be5bfce38c57163a6e2b Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik<lsleb...@redhat.com> Date: Fri, 11 Sep 2015 17:04:58 +0200 Subject: [PATCH] squash_me --- Makefile.am| 2 +- src/providers/ipa/ipa_hbac.exports | 8 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 851f943a4c57b70cee4f4f34e83457e7d204aff1..a2a868455f91fac212fcfa7b41681086145c06f9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -928,7 +928,7 @@ libipa_hbac_la_LIBADD = \ $(UNICODE_LIBS) libipa_hbac_la_LDFLAGS = \ -Wl,--version-script,$(srcdir)/src/providers/ipa/ipa_hbac.exports \ --version-info 0:1:0 +-version-info 1:0:1 Lukas, are you sure this version number 1:0:1? If you're really sure this number, I have not understood it properly. dist_noinst_DATA += src/providers/ipa/ipa_hbac.exports diff --git a/src/providers/ipa/ipa_hbac.exports b/src/providers/ipa/ipa_hbac.exports index 63b6a5cd673d7b7f3096794648483d280a6bb47f..b7945e139b9ab81b7c1d68eb707acaaff7163a2e 100644 --- a/src/providers/ipa/ipa_hbac.exports +++ b/src/providers/ipa/ipa_hbac.exports @@ -1,4 +1,4 @@ -IPA_HBAC_0.0.2 { +IPA_HBAC_0.0.1 { # public functions global: @@ -8,9 +8,13 @@ IPA_HBAC_0.0.2 { hbac_error_string; hbac_free_info; hbac_rule_is_complete; -hbac_enable_debug; # everything else is local local: *; }; + +IPA_HBAC_0.1.0 { +global: +hbac_evaluate; +} IPA_HBAC_0.0.1; -- >From 3b235cdc2c8d55dbaac9a78f82bef12576346b97 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Wed, 26 Aug 2015 02:50:26 -0400 Subject: [PATCH 1/2] TESTS: Fixing of uninitialized pointer. There was a bug with uninitialized pointer during solving ticket 2703. More details: rules[0]->services->names[1] is initialized on line 361, but initializing of rules[0]->srchosts->names[1] was missing. Resolves: https://fedorahosted.org/sssd/ticket/2703 --- src/tests/ipa_hbac-tests.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c index bd56c8f107b05f07b1ba8913fc14a03419d679f7..f2192a6fbc5188a7a7f6b204e03ca5961bb53f75 100644 --- a/src/tests/ipa_hbac-tests.c +++ b/src/tests/ipa_hbac-tests.c @@ -367,7 +367,7 @@ START_TEST(ipa_hbac_test_allow_utf8) fail_if(rules[0]->services->names == NULL); rules[0]->srchosts->names[0] = (const char *) _utf8_upcase; -rules[0]->services->names[1] = NULL; +rules[0]->srchosts->names[1] = NULL; rules[1] = NULL; -- 2.4.3 >From 8964ab1d9647086c977ea25563ac552092f7159e Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 24 Jul 2015 10:56:49 -0400 Subject: [PATCH 2/2] HBAC: Better libhbac debugging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 --- Makefile.am| 2 +- src/providers/ipa/hbac_evaluator.c | 168 - src/providers/ipa/ipa_access.c | 50 +++ src/providers/ipa/ipa_hbac.exports | 6 ++ src/providers/ipa/ipa_hbac.h | 22 + 5 files changed, 245 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 851f943a4c57b70c
Re: [SSSD] [PATCH] DEBUG: Preventing chown_debug_file if journald on
On 09/11/2015 11:02 AM, Lukas Slebodnik wrote: I do not understand how is the function chown_debug_file related to journald. sssd can be compiled with journald support and in the same time can log to the files. This is a default for fedora and rehl7. If someone want to enable logging all messages to journald then it is required manula change to the file /etc/systemd/system/sssd.service.d/journal.conf LS Right, thanks, it wasn't good way how to fix it. There is another fixing patch attached. I used variable debug_file which inform us if we use logfiles. And I hope that I can ignore variable debug_to_stderr. Petr >From 8cb0a4a6b59259e9096ae6f5926595b7b10d6b27 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Thu, 10 Sep 2015 10:05:59 -0400 Subject: [PATCH] DEBUG: Preventing chown_debug_file if journald on There is function chown_debug_file() which didn't check if the SSSD is compiled with journald support. This patch add simple checking of this state. Resolves: https://fedorahosted.org/sssd/ticket/2493 --- src/util/debug.c | 35 +++ 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/src/util/debug.c b/src/util/debug.c index 69df54386101973548108c3194a1bfd111f046f0..b6ab368db824bbd297dcb410c3e669d911ff0d33 100644 --- a/src/util/debug.c +++ b/src/util/debug.c @@ -316,24 +316,27 @@ int chown_debug_file(const char *filename, const char *log_file; errno_t ret; -if (filename == NULL) { -log_file = debug_log_file; -} else { -log_file = filename; -} +if (debug_file) { -ret = asprintf(, "%s/%s.log", LOG_PATH, log_file); -if (ret == -1) { -return ENOMEM; -} +if (filename == NULL) { +log_file = debug_log_file; +} else { +log_file = filename; +} -ret = chown(logpath, uid, gid); -free(logpath); -if (ret != 0) { -ret = errno; -DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n", - log_file, ret); -return ret; +ret = asprintf(, "%s/%s.log", LOG_PATH, log_file); +if (ret == -1) { +return ENOMEM; +} + +ret = chown(logpath, uid, gid); +free(logpath); +if (ret != 0) { +ret = errno; +DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n", + log_file, ret); +return ret; +} } return EOK; -- 2.4.3 ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] cache_req: support UPN
On 09/14/2015 01:34 PM, Pavel Březina wrote: On 09/14/2015 01:32 PM, Pavel Březina wrote: 0001: Use extra flag also in OOB request. 0002: Provide support for UPN. This add an improvement from NSS code, but I'm not sure if it is desired or not. If you have [domain/AD.PB] in sssd.conf and UPN "u...@ad.pb" then NSS responder will not find this user, cache_req will. Is this nss behavior intentional or a bug? 0003: I got really sick of the way new test are written in cache_req when writing new tests so I kinda rewrote it. I think this completes the cache_req interface. If you find anything missing, please let me no so I can add it. Hi, I compiled it. CI tests over all 3 patches: http://sssd-ci.duckdns.org/logs/job/26/73/summary.html I was interested in the third patch, since it affects the tests, with which I have worked. This is something what I will inspect more detail. I cannot say ack, because there is large logic. I would like to ask someone more experienced to take care of this review. Petr PS: I installed AD on my laptop and I try to set up it correctly. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 09/14/2015 03:25 PM, Jakub Hrozek wrote: On Mon, Sep 14, 2015 at 02:15:39PM +0200, Petr Cech wrote: From 4246d5cd91c4c34b8524be5bfce38c57163a6e2b Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik<lsleb...@redhat.com> Date: Fri, 11 Sep 2015 17:04:58 +0200 Subject: [PATCH] squash_me --- Makefile.am| 2 +- src/providers/ipa/ipa_hbac.exports | 8 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 851f943a4c57b70cee4f4f34e83457e7d204aff1..a2a868455f91fac212fcfa7b41681086145c06f9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -928,7 +928,7 @@ libipa_hbac_la_LIBADD = \ $(UNICODE_LIBS) libipa_hbac_la_LDFLAGS = \ -Wl,--version-script,$(srcdir)/src/providers/ipa/ipa_hbac.exports \ --version-info 0:1:0 +-version-info 1:0:1 Lukas, are you sure this version number 1:0:1? If you're really sure this number, I have not understood it properly. I have not read the patch at all, just adding a link about version info [1] https://www.gnu.org/software/libtool/manual/libtool.html#Updating-version-info The trick to follow this guide is that it's really an algorithm, so you shouldn't stop at the first change, but continue (potentially reverting or overwriting previous changes) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel I understand, how we changed -version-info (it is exactly by steps as described in [1]), but I don't understand clearly changes in .exports. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] cache_req: support UPN
Hi Pavel! There is some code between my last end and this continuation. I was read it and did't find anything wrong. On 09/16/2015 04:26 PM, Petr Cech wrote: 0003-cache_req-tests-reduce-code-duplication.patch From e41f96a47f2b0f8d3e07e34af83e9a516d29df34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=<pbrez...@redhat.com> Date: Mon, 14 Sep 2015 11:06:45 +0200 Subject: [PATCH 3/3] cache_req tests: reduce code duplication --- src/tests/cmocka/test_responder_cache_req.c | 1624 +++ 1 file changed, 394 insertions(+), 1230 deletions(-) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 7db87ccc816ea0e30e707ec8c2fa4666441892a8..2af481494319d0d01d29d0c243020c5adcb06d3a 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -52,6 +52,27 @@ test_multi_domain_setup, \ test_multi_domain_teardown) +#define run_cache_req(ctx, send_fn, done_fn, dom, crp, lookup, expret) do { \ +TALLOC_CTX *req_mem_ctx;\ +struct tevent_req *req; \ +errno_t ret;\ + \ +req_mem_ctx = talloc_new(global_talloc_context);\ + check_leaks_push(req_mem_ctx); \ + \ +req = send_fn(req_mem_ctx, ctx->tctx->ev, ctx->rctx,\ + ctx->ncache, 10, crp, \ + (dom == NULL ? NULL : dom->name), lookup);\ + assert_non_null(req); \ +tevent_req_set_callback(req, done_fn, ctx); \ + \ +ret = test_ev_loop(ctx->tctx); \ +assert_int_equal(ret, expret); \ + assert_true(check_leaks_pop(req_mem_ctx)); \ + \ + talloc_free(req_mem_ctx); \ +} while (0) This definition should be a function. I found that you use it like # return run_cache_req(...) but it doesn't provide value. + struct cache_req_test_ctx { struct sss_test_ctx *tctx; struct resp_ctx *rctx; @@ -80,46 +101,6 @@ struct cli_protocol_version *register_cli_protocol_version(void) return version; } -struct tevent_req * -__wrap_sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - struct resp_ctx *rctx, - struct sss_domain_info *dom, - bool fast_reply, - enum sss_dp_acct_type type, - const char *opt_name, - uint32_t opt_id, - const char *extra) -{ -struct sysdb_attrs *attrs = NULL; -struct cache_req_test_ctx *ctx = NULL; -errno_t ret; - -ctx = sss_mock_ptr_type(struct cache_req_test_ctx*); -ctx->dp_called = true; - -if (ctx->create_user) { -attrs = sysdb_new_attrs(ctx); -assert_non_null(attrs); - -ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, TEST_UPN); -assert_int_equal(ret, EOK); - -ret = sysdb_store_user(ctx->tctx->dom, TEST_USER_NAME, "pwd", - TEST_USER_ID, 1000, NULL, NULL, NULL, - "cn=test-user,dc=test", attrs, NULL, - 1000, time(NULL)); -assert_int_equal(ret, EOK); -} - -if (ctx->create_group) { -ret = sysdb_store_group(ctx->tctx->dom, TEST_GROUP_NAME, -TEST_GROUP_ID, NULL, 1000, time(NULL)); -assert_int_equal(ret, EOK); -} - -return test_req_succeed_send(mem_ctx, rctx->ev); -} - static void cache_req_user_by_name_test_done(struct tevent_req *req) { struct cache_req_test_ctx *ctx = NULL; @@ -176,6 +157,173 @@ static void cache_req_group_by_id_test_done(struct tevent_req *req) ctx->tctx->done = true; } +static void prepare_user(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + uint64_t timeout, + time_t time) +{ +struct sysdb_attrs *attrs; +errno_t ret; + +attrs = sysdb_new_attrs(mem_ctx); +assert_non_null(attrs); + +ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, TEST_UPN); +assert_int_equal(ret, EOK); + +ret = sysdb_store_user(domain, TEST_USER_NAME, "pwd", + TEST_USER_ID, TEST_GROUP_ID, NULL, NULL, NULL, + "cn=test-user,dc=test", attrs, NULL, +
Re: [SSSD] Review of umask() in SSSD
On 09/11/2015 01:47 PM, Jakub Hrozek wrote: On Thu, Sep 10, 2015 at 12:27:17PM +0200, Petr Cech wrote: Hi, I am reviewing umask() in our code according to https://fedorahosted.org/sssd/ticket/2424 There are many use like umask(DFL_RSP_UMASK): src/responder/autofs/autofssrv.c:223 src/responder/ifp/ifpsrv.c:401 src/responder/nss/nsssrv.c:589 src/responder/pac/pacsrv.c:232 src/responder/pam/pamsrv.c:369 src/responder/ssh/sshsrv.c:209 src/responder/sudo/sudosrv.c:215 where DFL_RSP_UMASK is defined as 0177. There are another three use of umask 0177: src/confdb/confdb.c:662 src/util/debug.c:365 src/util/server.c:495 And then I see many use of umask 077: src/p11_child/p11_child_nss.c:485 src/providers/krb5/krb5_child.c:723 src/tests/check_and_open-tests.c:51 src/tests/debug-tests.c:136 src/tests/debug-tests.c:276 src/tests/util-tests.c:596 src/util/domain_info_utils.c:312 src/util/domain_info_utils.c:562 src/tools/tools_util.c:503 I would like to ask you if we would like to use 0077 or 0177 as our very restrictive mask. I see that our code is not consistent on this question. I know the difference is small, but it is. I guess 0177 should be used. Then we have some unsecure use: src/providers/ipa/selinux_child.c:154: umask = 0 src/providers/krb5/krb5_ccache.c:188:umask = src/responder/nss/nsssrv_mmap_cache.c:1121: umask = 0022 but I think there is reason for it. Yes, it would be nice if there was always a comment explaining the umask. And the last one is at src/responder/common/responder_common.c:561: int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval) We use it secure (0177) at: src/responder/common/responder_common.c:693 src/responder/pam/pamsrv.c:399 If this is in responder, would it make sense to just use DFL_RSP_UMASK ? And not so secure: src/responder/common/responder_common.c:670 umask = 0111 This one has a comment explaining why the umask it is the way it is, but would it make sense to add a note about public/private sockets as well (maybe not to the code but to the InternalsDocs) and #define a constant for the public pipes? src/responder/pam/pamsrv.c:391 umask = 0111 src/tests/cwrap/test_responder_common.c:173 umask = 0111 src/tests/cwrap/test_responder_common.c:179 umask = So, what could I do? Maybe we could have only one very secure umask and maybe we could have CONSTANT for every use of umask. Any another ideas? I like this idea, the constant could describe why we need this particular umask better than the number also. Regards Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel Thanks, Jakub, for comments. There is a patch attached. Petr >From 1da3d15cf5cfcd72742cb05be9a144ab40db7d29 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 15 Sep 2015 10:50:37 -0400 Subject: [PATCH] REFACTOR: Review of umask() function We have many uses of umask() in our code. This patch substitute values with constants and add comments at some cases. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/confdb/confdb.c | 2 +- src/p11_child/p11_child_nss.c | 2 +- src/providers/krb5/krb5_ccache.c| 1 + src/providers/krb5/krb5_child.c | 2 +- src/responder/common/responder_common.c | 3 ++- src/responder/pam/pamsrv.c | 3 ++- src/tests/check_and_open-tests.c| 2 +- src/tests/debug-tests.c | 4 ++-- src/tests/util-tests.c | 2 +- src/util/debug.c| 2 +- src/util/domain_info_utils.c| 4 ++-- src/util/server.c | 2 +- src/util/util.h | 2 ++ 13 files changed, 18 insertions(+), 13 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 3a8a1c01b92e62302ac4f787ccd085be9d8f05c3..d71a50724d292bbea7d49e650062e11066c6ff77 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx, return EIO; } -old_umask = umask(0177); +old_umask = umask(SSS_VERY_RESTRICTIVE_UMASK); ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); umask(old_umask); diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 44ba6678893408dbfc0c6c7cfd5edcdaa789f518..d999e7485f5f67792502400084dbd603f1558a8d 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -482,7 +482,7 @@ int main(int argc, const char *argv[]) debug_level = SSSDBG_INVALID; clearenv(); -umask(077); +umask(SSS_VERY_RESTRICTIVE_UMASK); pc = poptGetContext(argv[0], argc, argv, long_options, 0); while ((opt = poptG
Re: [SSSD] RFC: Improving the debug messages
On 09/30/2015 11:15 AM, Jakub Hrozek wrote: On Wed, Sep 30, 2015 at 09:53:24AM +0200, Sumit Bose wrote: It's https://fedorahosted.org/sssd/ticket/2808 . Please add ideas and suggestions how those tags shall look like. Thanks, I ressurected https://fedorahosted.org/sssd/ticket/1372 from Deferred as well. ___ This topic resonates with me. Text instead of hexadecimal numbers is better and it could make our logs more understandable. And usage patterns are very nice guides for orientation in logs. I would like to work on this ticket. Petr ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Review of umask() in SSSD
On 10/01/2015 01:19 PM, Jakub Hrozek wrote: On Thu, Oct 01, 2015 at 12:38:49PM +0200, Petr Cech wrote: Bump. Thanks for reply, Jakub. Why was 077 changed for 0177? This change is something, which I think was discussed earlier in this thread. # pcech: # > I would like to ask you if we would like to use 0077 or 0177 as our very # > restrictive mask. I see that our code is not consistent on this question. I # > know the difference is small, but it is. # # jhrozek: # I guess 0177 should be used. I think that we work only with files, not with directories, I should check it again. So, if it is risky, I will changed it. :-) About the name -- shouldn't we say just "SSS_DFL_UMASK" ? We are a security project, therefore restrictive by default :-) You're right, we are security project by default, so I changed the constant name. >From 0f1946aecec78e7faaa3f5815ad06969b1234389 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 15 Sep 2015 10:50:37 -0400 Subject: [PATCH] REFACTOR: Review of umask() function We have many uses of umask() in our code. This patch substitute values with constants and add comments at some cases. Resolves: https://fedorahosted.org/sssd/ticket/2424 --- src/confdb/confdb.c | 2 +- src/p11_child/p11_child_nss.c | 2 +- src/providers/krb5/krb5_ccache.c| 1 + src/providers/krb5/krb5_child.c | 2 +- src/responder/common/responder_common.c | 3 ++- src/responder/pam/pamsrv.c | 3 ++- src/tests/check_and_open-tests.c| 2 +- src/tests/debug-tests.c | 4 ++-- src/tests/util-tests.c | 2 +- src/util/debug.c| 2 +- src/util/domain_info_utils.c| 4 ++-- src/util/server.c | 2 +- src/util/util.h | 2 ++ 13 files changed, 18 insertions(+), 13 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index d811f7cbf597db5c5ee5fa658c8864233da8f2e0..0f76a3d140ec832467c8382df088ac0e279207c0 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -659,7 +659,7 @@ int confdb_init(TALLOC_CTX *mem_ctx, return EIO; } -old_umask = umask(0177); +old_umask = umask(SSS_DFL_UMASK); ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); umask(old_umask); diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 44ba6678893408dbfc0c6c7cfd5edcdaa789f518..87bc376bcd2add74388504ba7e591592d2a818c7 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -482,7 +482,7 @@ int main(int argc, const char *argv[]) debug_level = SSSDBG_INVALID; clearenv(); -umask(077); +umask(SSS_DFL_UMASK); pc = poptGetContext(argv[0], argc, argv, long_options, 0); while ((opt = poptGetNextOpt(pc)) != -1) { diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c index f9bb25efd4ca3257845c3b157667d21d24299f4a..5de596f341a53958f312d114c1f95c4728d9d5df 100644 --- a/src/providers/krb5/krb5_ccache.c +++ b/src/providers/krb5/krb5_ccache.c @@ -185,6 +185,7 @@ static errno_t create_ccache_dir(const char *ccdirname, uid_t uid, gid_t gid) "Creating directory [%s].\n", li->s); new_dir_mode = 0700; +/* We need umask because we will create directory. */ old_umask = umask(); ret = mkdir(li->s, new_dir_mode); umask(old_umask); diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 1edf10ab81d283c45e9c3343341ceaa524970e11..be8db23df4660adcb59fcd2677b28ee415cd18d8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -720,7 +720,7 @@ static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) #endif /* Set a restrictive umask, just in case we end up creating any file */ -umask(077); +umask(SSS_DFL_UMASK); /* we create a new context here as the main process one may have been * opened as root and contain possibly references (even open handles ?) diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 2097004cb0fc24d8b356f9d924243f948227ef58..baaf0412b4a70537a2523a98ff33d8f34f194b47 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -690,7 +690,8 @@ static int set_unix_socket(struct resp_ctx *rctx) if (rctx->priv_sock_name != NULL ) { /* create privileged pipe */ if (rctx->priv_lfd == -1) { -ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, 0177); +ret = create_pipe_fd(rctx->priv_sock_name, >priv_lfd, + DFL_RSP_UMASK); if (ret != EOK) { goto failed; } diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 3fe467c3cfc4c63b9
Re: [SSSD] [PATCH] [HBAC]: Better libhbac debuging
On 09/18/2015 04:30 PM, Petr Cech wrote: Hello, there are fixed patches attached. Bump. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] Review of umask() in SSSD
Bump. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] TEST: recent_valid filter testing
Hi, there is WiP attached. I removed some tests like this one some time ago. They fail really often and we decided that the test logic was corrupted. Now I am trying get it back to the codebase. There is some kind of cmocka magic around data provider. I think it creates test_user_1 during creation of filter. In case of this type of tests, we need two users, one stored before filter request and one stored after filter request. There is a special type of filter which has time parameter which it search from. So the filter returns only one user. If this concept is right, I will send whole patch. Regards Petr PS: I applied my patch after 000*-cache_req_*. Those patches are on list. >From aa0b0ab7c0a95ff47d5003907730c5432ff7bb85 Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Fri, 2 Oct 2015 07:34:08 -0400 Subject: [PATCH] TEST: recent_valid filter testing Some tests were removed in past. This is only WiP, not regular patch. I rewrote one of the removed test. Is it this right way? We speak about RECENT filter. It returns only records which have been wrote or updated after filter was created (or another given time). Some notes are written in comments of this patch. Resolves: https://fedorahosted.org/sssd/ticket/2730 --- src/tests/cmocka/test_responder_cache_req.c | 60 - 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index bb79fd10eefd7186f17a1f9306b57ddca2e3279f..c01d92fd9f3f078d853da1642e63cdbc3a1aed7b 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -1239,6 +1239,58 @@ static void cache_req_user_by_filter_test_done(struct tevent_req *req) ctx->tctx->done = true; } +/* NOTE better name is filter_recent_valid */ +void test_users_by_filter_valid(void **state) +{ +struct cache_req_test_ctx *test_ctx = NULL; +TALLOC_CTX *req_mem_ctx = NULL; +struct tevent_req *req = NULL; +const char *ldbname = NULL; +errno_t ret; + +test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +test_ctx->create_user = true; + +/* NOTE This user (#2) is stored before filter creation. */ +ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME2, "pwd", 1001, 1001, + NULL, NULL, NULL, "cn="TEST_USER_NAME2",dc=test", NULL, + NULL, 1000, time(NULL)); +assert_int_equal(ret, EOK); + +/* NOTE To make sure that the times of user/filter creation will vary.*/ +sleep(1); + +req_mem_ctx = talloc_new(global_talloc_context); +check_leaks_push(req_mem_ctx); + +/* Filters always go to DP */ +will_return(__wrap_sss_dp_get_account_send, test_ctx); +mock_account_recv_simple(); + +/* NOTE During this call the TEST_USER_NAME (#1) will be stored. */ +req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, +test_ctx->rctx, +test_ctx->tctx->dom->name, +"test*"); +assert_non_null(req); + +tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + +ret = test_ev_loop(test_ctx->tctx); +assert_int_equal(ret, ERR_OK); +assert_true(check_leaks_pop(req_mem_ctx)); + +/* NOTE We receive only user #1, because #2 was stored before filter was created. */ +assert_non_null(test_ctx->result); +assert_int_equal(test_ctx->result->count, 1); + +ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_NAME, NULL); +assert_non_null(ldbname); +assert_string_equal(ldbname, TEST_USER_NAME); +} + + void test_users_by_filter_filter_old(void **state) { struct cache_req_test_ctx *test_ctx = NULL; @@ -1429,7 +1481,7 @@ int main(int argc, const char *argv[]) }; const struct CMUnitTest tests[] = { -new_single_domain_test(user_by_name_cache_valid), +/*new_single_domain_test(user_by_name_cache_valid), new_single_domain_test(user_by_name_cache_expired), new_single_domain_test(user_by_name_cache_midpoint), new_single_domain_test(user_by_name_ncache), @@ -1475,13 +1527,17 @@ int main(int argc, const char *argv[]) new_single_domain_test(group_by_id_missing_notfound), new_multi_domain_test(group_by_id_multiple_domains_found), new_multi_domain_test(group_by_id_multiple_domains_notfound), +*/ +new_single_domain_test(users_by_filter_valid), +/* new_single_domain_test(users_by_filter_filter_old), new_single_domain_test(users_by_filter_notfound), new_multi_domain_test(users_by_filter_multiple_domains_notfound), new_single_domain_test(g