[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

jhrozek Wed, 29 Mar 2017 07:42:08 -0700

  URL: https://github.com/SSSD/sssd/pull/215
Title: #215: Support for non-POSIX users and groups


jhrozek commented:
"""
I fixed the minor issues in comments and the man pages. I also fixed the issue 
in the Kerberos provider with the following hunk:
```
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0aa25ac..2faf18d 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -42,6 +42,8 @@
 #include "providers/krb5/krb5_utils.h"
 #include "providers/krb5/krb5_ccache.h"
 
+#define  NON_POSIX_CCNAME_FMT       "MEMORY:sssd_nonposix_dummy_%u"
+
 static int krb5_mod_ccname(TALLOC_CTX *mem_ctx,
                            struct sysdb_ctx *sysdb,
                            struct sss_domain_info *domain,
@@ -317,7 +319,12 @@ static errno_t krb5_auth_prepare_ccache_name(struct 
krb5child_req *kr,
     case DOM_TYPE_APPLICATION:
         DEBUG(SSSDBG_TRACE_FUNC,
                "Domain type application, will use in-memory ccache\n");
-        kr->ccname = talloc_asprintf(kr, "MEMORY:%s", kr->pd->user);
+        /* We don't care about using cryptographic randomness, just
+         * a non-predictable ccname, so using rand() here is fine
+         */
+        kr->ccname = talloc_asprintf(kr,
+                                     NON_POSIX_CCNAME_FMT,
+                                     rand() % UINT_MAX);
         if (kr->ccname == NULL) {
             DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
             return ENOMEM;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fe185..cbbc892 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1572,6 +1572,15 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
         DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
     }
 
+    /* In a non-POSIX environment, we only care about the return code from
+     * krb5_child, so let's not even attempt to create the ccache
+     */
+    if (kr->posix_domain == false) {
+        DEBUG(SSSDBG_TRACE_LIBS,
+              "Finished authentication in a non-POSIX domain\n");
+        goto done;
+    }
+
     /* If kr->ccname is cache collection (DIR:/...), we want to work
      * directly with file ccache (DIR::/...), but cache collection
      * should be returned back to back end.
@@ -1613,18 +1622,6 @@ static krb5_error_code get_and_save_tgt(struct krb5_req 
*kr,
               "add_ticket_times_and_upn_to_response failed.\n");
     }
 
-    /* In a non-POSIX environment, we only care about the return code from
-     * krb5_child, so let's just destroy the credentials immediatelly
-     */
-    if (kr->posix_domain == false) {
-        kerr = sss_krb5_cc_destroy(kr->ccname, kr->uid, kr->gid);
-        if (kerr != EOK) {
-            DEBUG(SSSDBG_OP_FAILURE,
-                  "Failed to destroy the in-memory ccache\n");
-            goto done;
-        }
-    }
-
     kerr = 0;
 
 done:
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 12c8dfc..66ae68f 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -136,6 +136,9 @@ errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
+    /* Only needed to generate random ccache names for non-POSIX domains */
+    srand(time(NULL) * getpid());
+
     ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, 
&ctx->opts);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n",
```

I'm not sure if the srand and rand calls are nice, if you prefer I can just use 
some hardcoded name like you suggested..

And I also fixed the issue with the short boolean evaluations with the 
following hunk:
```
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index e51cf80..7400dc1 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -297,7 +297,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
         }
     }
 
-    if (state->non_posix == true) {
+    if (state->non_posix) {
         state->filter = talloc_asprintf(state,
                                         "(&%s(objectclass=%s)(%s=*))",
                                         user_filter,
diff --git a/src/providers/ldap/sdap_async_enum.c 
b/src/providers/ldap/sdap_async_enum.c
index 17f1cdf..91e481c 100644
--- a/src/providers/ldap/sdap_async_enum.c
+++ b/src/providers/ldap/sdap_async_enum.c
@@ -754,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX 
*memctx,
         goto fail;
     }
 
-    if (non_posix == false && use_mapping) {
+    if (!non_posix && use_mapping) {
         /* If we're ID-mapping, check for the objectSID as well */
         state->filter = talloc_asprintf_append_buffer(
                 state->filter, "(%s=*)",
diff --git a/src/providers/ldap/sdap_async_initgroups.c 
b/src/providers/ldap/sdap_async_initgroups.c
index 6c63a3e..c926ddc 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2832,7 +2832,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX 
*memctx,
         }
     }
 
-    if (state->non_posix == true) {
+    if (state->non_posix) {
         state->user_base_filter = 
talloc_asprintf_append(state->user_base_filter,
                                                          ")");
     } else if (use_id_mapping) {
```
There was one place where the explicit form was already used for the 
use_id_mapping variable, so I left both in the same long form to be consistent 
in the single condition.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/215#issuecomment-290111675

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#215][comment] Support for non-POSIX users and groups

Reply via email to