[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ CI: http://sssd-ci.duckdns.org/logs/job/57/35/summary.html sssd-1-13: b6d0b0a14c7f09371cbb2afd0347f6a16fcfc8dd """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262723829 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ (CI pending) """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262709772 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ ack, this version works for me """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262709744 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Squashed version pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262694326 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) lslebodn commented: """ On (23/11/16 08:07), celestian wrote: >I pushed new version. The patch is the same plus I added back-ported patch >from #80 (with cerry-pick tag). > NACK to two patches. As I explained it before there is not a reason to introduce regression in one patch and fix in another patch. Please squash them together. The commit message can contain information about squasing commits LS """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262582550 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I pushed new version. The patch is the same plus I added back-ported patch from #80 (with cerry-pick tag). """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262557829 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ regardless of what we choose, the patch for PR #80 does not apply atop this patch, can we have a version that applies to the 1.13 branch, please? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262536635 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) lslebodn commented: """ On (23/11/16 06:19), celestian wrote: >Thanks for CR. >After pushing it is important to cherry pick #80 as well. > I do not agree. The ticket #3241 was a regression caused by #3203. This patch should fix #3203 for 1.13 I do not see a reason why we should introduce regression with the patch a fix it with other patch. I would prefer to squash patches together for 1.13 branch. LS """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262532341 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ For some reason the downstream tests are stuck and time out, even with known-good packages. I will keep trying but for downstream's sake I'm going to push the patch based on my manual testing. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262530794 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Thanks for CR. After pushing it is important to cherry pick #80 as well. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262524310 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ ACK, this version works for me. I will run also downstream tests to be sure, but my manual testing passed. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-262221752 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ So, I pushed new version. Now ```sysdb_get_sudo_filter()``` uses ```nameAlias``` values. (And after pushing #80 I will cherry-pick it to 1.13 too.) """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-261940320 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ Apart from fixing ticket #3241, why does sysdb_get_sudo_filter add its own lowercased name and does not add all nameAlias values instead? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-261255728 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I am afraid there is the same issue as in https://fedorahosted.org/sssd/ticket/3241. The patch will be added soon. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-260886546 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ We discussed this issue with @jhrozek. I misunderstood the case -- the right is -- user is ```Administrator```, the sudoRule is written for user ```administrator``` on case insensitive domain (typically AD). Now we can see in logs proper filter: ``` [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Administrator)(sudoUser=administrator)... ``` And the sudoRule is: ``` dn: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn=sysdb cn: lessrule dataExpireTimestamp: 1479136324 entryUSN: 90154 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=scorpion,DC=domain sudoCommand: /usr/bin/less sudoHost: ALL sudoUser: administrator distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn= sysdb ``` I slightly changed the patch, new version is pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-260339114 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I am sure this is enough. Maybe it is not the most direct solution. I try to explain it: We have user ```Administrator```, sysdb record looks like (minor items missed): ``` dn: name=Administrator,cn=users,cn=scorpion.domain,cn=sysdb fullName: Administrator gecos: Administrator gidNumber: 342400513 name: Administrator objectClass: user uidNumber: 342400500 objectSIDString: S-1-5-21-2022941956-2492201804-3493196904-500 uniqueID: c153af46-809a-41a0-baa6-de76b587e061 originalDN: CN=Administrator,CN=Users,DC=scorpion,DC=domain entryUSN: 69662 nameAlias: administrator ``` And we have ```lessrule```: ``` dn: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn=sysdb cn: lessrule dataExpireTimestamp: 1478853348 entryUSN: 45204 name: lessrule objectClass: sudoRule originalDN: CN=lessrule,OU=sudoers,DC=scorpion,DC=domain sudoCommand: /usr/bin/less sudoHost: ALL sudoUser: Administrator sudoUser: administrator distinguishedName: name=lessrule,cn=sudorules,cn=custom,cn=scorpion.domain,cn= sysdb ``` If we look at ```/var/log/secure```: ``` Nov 11 08:02:59 client sudo: pam_sss(sudo:auth): authentication success; logname=administrator uid=342400500 euid=0 tty=/dev/pts/2 ruser=administrator rhost= user=administrator Nov 11 08:02:59 client sudo: administrator : TTY=pts/2 ; PWD=/home/administrator@scorpion.domain ; USER=root ; COMMAND=/bin/less /etc/resolv.conf Nov 11 08:02:59 client sudo: pam_systemd(sudo:session): Cannot create session: Already running in a session Nov 11 08:02:59 client sudo: pam_unix(sudo:session): session opened for user root by administrator(uid=0) ``` I understand that it is searched by the correct name, but sudo finally accepts a name with lowercase letters. If I remove lowercase name from ```sudoRule``` it doesn't work anymore. I wonder if it is a way to make sudo to work with original login name. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259897355 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ Are you sure this is enough? Because when the patch is applied, I see that we only match the sudoUser value with the original case. Don't we also need to match the lowercase version of the username? This is what sssd_sudo searches for: ``` (Thu Nov 10 13:11:01 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Administrator)(sudoUser=#679800500)(sudoUser=%Group\20Policy\20Creator\20Owners)(sudoUser=%Enterprise\20Admins)(sudoUser=%Domain\20Admins)(sudoUser=%Schema\20Admins)(sudoUser=%Domain\20Users)(sudoUser=%Denied\20RODC\20Password\20Replication\20Group)(sudoUser=%sudogroup)(sudoUser=%Domain\20Users)(sudoUser=+*)))] ``` And this is the rule definition: ``` dn: name=morerule,cn=sudorules,cn=custom,cn=win.trust.test,cn=sysdb cn: morerule dataExpireTimestamp: 1478785266 entryUSN: 65695 name: morerule objectClass: sudoRule originalDN: CN=morerule,OU=sudoers,DC=win,DC=trust,DC=test sudoCommand: /bin/more sudoCommand: /usr/bin/more sudoHost: ALL sudoUser: administrator distinguishedName: name=morerule,cn=sudorules,cn=custom,cn=win.trust.test,cn=s ysdb ``` So """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259675726 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ oops...clicked send to early. I meant to say "So the filter never matches the lowercase sudoUser". """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259675812 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ On Tue, Nov 08, 2016 at 05:06:41AM -0800, celestian wrote: > Yes, the second patch explicitly qualifies the names. I don't know if there > is possibility to add wrong domain to the given user name this way. That's > the question. > > The reason for doing this is that function ```sudosrv_get_user()``` ask for > that type of name. How you can see: > ``` > # grep 'administrator' *.log > > # sssd_scorpion.domain.log: > [be_get_account_info] (0x0200): Got request for > [0x3][BE_REQ_INITGROUPS][1][name=administrator] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain]. > [pam_print_data] (0x0100): ruser: administrator@scorpion.domain > [sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: > administrator@scorpion.domain > > # sssd_sudo.log: > [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' > matched expression for domain 'scorpion.domain', user is administrator > [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' > matched expression for domain 'scorpion.domain', user is administrator > [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for > [administrator] from [scorpion.domain] > [sss_ncache_check_str] (0x2000): Checking negative cache for > [NCE/USER/scorpion.domain/administrator] > [sudosrv_get_user] (0x0200): Requesting info about > [administrator@scorpion.domain] > [sudosrv_get_user] (0x0400): Returning info for user > [administrator@scorpion.domain] This is only how the DEBUG messages are formatted: 122 DEBUG(SSSDBG_FUNC_DATA, "Requesting info about [%s@%s]\n", 123 name, dom->name); and: 243 DEBUG(SSSDBG_TRACE_FUNC, "Returning info for user [%s@%s]\n", 244 cmd_ctx->username, dctx->domain->name); In the cache I can see both administra...@win.trust.test and administrator. But do we need the qualified name? Why? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259134748 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Yes, the second patch explicitly qualifies the names. I don't know if there is possibility to add wrong domain to the given user name this way. That's the question. The reason for doing this is that function ```sudosrv_get_user()``` ask for that type of name. How you can see: ``` # grep 'administrator' *.log # sssd_scorpion.domain.log: [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=administrator] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=administrator)(objectclass=user)(objectSID=*))][DC=scorpion,DC=domain]. [pam_print_data] (0x0100): ruser: administrator@scorpion.domain [sssd[be[scorpion.domain]]] [pam_print_data] (0x0100): ruser: administrator@scorpion.domain # sssd_sudo.log: [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [administrator] from [scorpion.domain] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/scorpion.domain/administrator] [sudosrv_get_user] (0x0200): Requesting info about [administrator@scorpion.domain] [sudosrv_get_user] (0x0400): Returning info for user [administrator@scorpion.domain] [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sss_parse_name_for_domains] (0x0200): name 'administrator@scorpion.domain' matched expression for domain 'scorpion.domain', user is administrator [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [administrator] from [scorpion.domain] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/scorpion.domain/administrator] [sudosrv_get_user] (0x0200): Requesting info about [administrator@scorpion.domain] [sudosrv_get_user] (0x0400): Returning info for user [administrator@scorpion.domain] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [administrator@scorpion.domain] ``` """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259131495 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ On Tue, Nov 08, 2016 at 04:13:43AM -0800, celestian wrote: > I pushed new version, only one difference -- I fix cherry-pick pointer. > The patch works without ```sudoUserAlias``` but it still adds fq names to > sudoUser. > Is it OK? Is there way how to avoid fq names? Well, the second patch explicitly qualifies the names, is there a reason to qualify them? btw I haven't tested this patchset at all yet, do the qualified names work at all? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259122246 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I pushed new version, only one difference -- I fix cherry-pick pointer. The patch works without ```sudoUserAlias``` but it still adds fq names to sudoUser. Is it OK? Is there way how to avoid fq names? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259121334 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ Since we have patch set for 1.15 pushed I will prepare proper cherry picking. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259118455 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) pbrezina commented: """ So what is the current plan here? """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259118986 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I pushed new version. Note: The patch set for 1.15 (and 1.14) is in new version too. It is possible that it will be needed to make cherry pick of Adding lowercase sudoUser from... again. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-258371317 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) jhrozek commented: """ Setting changes requested to rework the patch to only include the sudoUser and not sudoUserAlias """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-258154386 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) pbrezina commented: """ The patch looks good to me. I'd feel better if we somehow managed to backport patch that solves the fully qualified issue in 1.14 though. I'm not that sure about simply appending domain qualification to sudoUser attributes. I don't recall all reasons why we did not do it, but it may be dangerous if you do not check the exact source where this users comes from. In theory you can have: ```ldif sudoUser: my-u...@domain.com sudoUser: my-user ``` Where `my-u...@domain.com` comes from domain that requires fully-qualified names and `my-user` is a local user. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-256619222 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][comment] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) celestian commented: """ I just pushed new version of patch set. It is inspired by patch set for 1.14. And there is one little difference -- adding fq name for users in ```sudoUser``` attribute. I tested manually and it works. If it is needed I could add ```src/tests/cmocka/test_sysdb_sudo.c``` but it will differ from 1.14 one. """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-254464629 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
