Re: [SSSD] [PATCH] add pysss.getgrouplist(username)

Mon, 22 Jul 2013 04:51:38 -0700 

On Fri, Jul 19, 2013 at 07:15:34PM +0300, Alexander Bokovoy wrote:
> On Fri, 19 Jul 2013, Jakub Hrozek wrote:
> >On Fri, Jul 19, 2013 at 04:29:37PM +0300, Alexander Bokovoy wrote:
> >>Hi!
> >>
> >>Apparently, getgrouplist(3) call is not available in Python older than
> >>Python 3.3. So I agreed with Jakub to have it bound to pysss Python
> >>module. We need this call to obtain list of groups trusted domain user
> >>belongs to for HBAC testing in FreeIPA.
> >>
> >>Additionally, I've fixed bug with linking of pysss. This patch is
> >>relevant to 1.10 as well, while the first one is needed in sssd 1.11.
> >>
> >>
> >>--
> >>/ Alexander Bokovoy
> >
> >>Subject: [PATCH 1/2] build: fix dependencies for pysss module
> >Ack
> >
> >>Subject: [PATCH 2/2] pysss: add pysss.getgrouplist(username)
> >
> >I would just like to amend the doctext to make it clear that this is
> >just a system wrapper and not limited to users served by the sssd. See
> >the attached patch, I'd like to squash it before pushing.
> 
> >From a4b19b4b0e5d1e9b088059fc77f01e07d2407ca0 Mon Sep 17 00:00:00 2001
> >From: Jakub Hrozek <jhro...@redhat.com>
> >Date: Fri, 19 Jul 2013 16:52:11 +0200
> >Subject: [PATCH] Amend the doctext
> >
> >---
> >src/python/pysss.c | 2 ++
> >1 file changed, 2 insertions(+)
> >
> >diff --git a/src/python/pysss.c b/src/python/pysss.c
> >index 
> >a2924ff32575e1d41a776769720129b42de860da..6ae9a25268e632817311ff3cf0cb9354d99b5be3
> > 100644
> >--- a/src/python/pysss.c
> >+++ b/src/python/pysss.c
> >@@ -751,6 +751,8 @@ fail:
> > */
> >PyDoc_STRVAR(py_sss_getgrouplist__doc__,
> >    "Get list of groups user belongs to.\n\n"
> >+    "NOTE: The interface uses the system NSS calls and is not limited to "
> >+    "users served by the SSSD!\n"
> >    ":param username: name of user to get list for\n");
> >
> >static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args)
> ACK.
> 

Squashed in the doctext fix and pushed to master. The first patch was
also pushed to sssd-1-10.

> However, when testing this all with new FreeIPA code, I've found
> following issue: in ipa_server_mode = True I'm getting getgrgid(UPG) to
> return NULL (and my code in pysss_getgrouplist crashes). UPG here is a user 
> private group.
> 
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_message_handler] 
> (0x4000): Received SBUS method [getAccountInfo]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [be_get_account_info] 
> (0x0100): Got request for [4098][1][idnumber=1442800500]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Added timed 
> event "ltdb_callback": 0x7f0338945b80
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Added timed 
> event "ltdb_timeout": 0x7f033897a450
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Running timer 
> event 0x7f0338945b80 "ltdb_callback"
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Destroying 
> timer event 0x7f033897a450 "ltdb_timeout"
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [ldb] (0x4000): Ending timer 
> event 0x7f0338945b80 "ltdb_callback"
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_id_op_connect_step] 
> (0x4000): reusing cached connection
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_groups_next_base] 
> (0x0400): Searching for groups with base [cn=accounts,dc=lvee,dc=ipa]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x0400): calling ldap_search_ext with 
> [(&(gidNumber=1442800500)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=lvee,dc=ipa].
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [objectClass]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [cn]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [userPassword]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [gidNumber]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [member]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [nsUniqueId]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [modifyTimestamp]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [entryUSN]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_step] 
> (0x2000): ldap_search_ext called, msgid = 35
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] 
> (0x2000): Trace: sh[0x7f033893bc20], connected[1], ops[0x7f0338979900], 
> ldap[0x7f0338919400]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_message] 
> (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_generic_ext_done] 
> (0x0400): Search result: Success(0), no errmsg set
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_get_groups_process] 
> (0x0400): Search for groups, returned 0 results.
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_id_op_done] (0x4000): 
> releasing operation connection
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [acctinfo_callback] (0x0100): 
> Request processed. Returned 0,0,Success
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] 
> (0x2000): Trace: sh[0x7f033893bc20], connected[1], ops[(nil)], 
> ldap[0x7f0338919400]
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sdap_process_result] 
> (0x2000): Trace: ldap_result found nothing!
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_dispatch] (0x4000): 
> dbus conn: 7F0338931050
> (Fri Jul 19 19:06:49 2013) [sssd[be[lvee.ipa]]] [sbus_dispatch] (0x4000): 
> Dispatching.
> 

After a discussion on IRC with Tomas and Alexander, we found one bug in
IPA. I'm also checking the recent idmap changes to see if we're behaving
correctly.

> 
> Also this:
> $ python
> Python 2.7.5 (default, Jul  8 2013, 09:48:59) [GCC 4.8.1 20130603 (Red Hat
> 4.8.1-1)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>>import grp
> >>>grp.getgrname("1442800500")
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
> AttributeError: 'module' object has no attribute 'getgrname'
> >>>grp.getgrnam("1442800500")
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
> KeyError: 'getgrnam(): name not found: 1442800500'
> >>>grp.getgrnam("administra...@ad.lan")
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
> KeyError: 'getgrnam(): name not found: administra...@ad.lan'
> >>>import pwd
> >>>pwd.getpwnam("1442800500")
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
> KeyError: 'getpwnam(): name not found: 1442800500'
> >>>pwd.getpwnam("administra...@ad.lan")
> pwd.struct_passwd(pw_name='administra...@ad.lan', pw_passwd='*',
> pw_uid=1442800500, pw_gid=1442800500, pw_gecos='Administrator',
> pw_dir='/', pw_shell='')
> >>>
> -- 
> / Alexander Bokovoy
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to