January 2010 - sssd-devel - Fedora Mailing-Lists

by Timo Aaltonen

Hi I've understood that sssd still isn't fully tested against an Active Directory? We've got one and I'm trying to make an Ubuntu linux client to work with it by using samba, MIT krb5 libs and sssd. Things aren't going too strong though. AD seems to support only HOST$ -style principals and not SPN's, but even if I specify ldap_sasl_authid to that I only get an "Invalid credentials" when the daemon is trying to bind [sssd[be[AALTO]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: NEXUS6$ [sssd[be[AALTO]]] [sasl_bind_send] (1): ldap_sasl_bind failed (49)[Invalid credentials] So, am I missing something or is there something to be fixed :) -- Timo Aaltonen Systems Specialist IT Services, Aalto University School of Science and Technology

14 years, 3 months

2
1
0 / 0

[PATCHES] Collection, Ref Array, ELAPI

by Dmitri Pal

Hi, This is resubmission of the two earlier withdrawn patches (Ref Array and ELAPI) and addition of a new patch to collection. For details see the patch comments. Note about ELAPI patch: it is huge so it is zipped. This patch includes the first cut of eliminating the elapi_test directory altogether. The directory is not built any more so there is no need to spend much time looking at the files that were updated in this directory. They will be either removed in follow up patches or moved to elapi directory. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

14 years, 3 months

3
16
0 / 0

[PATCHES] Improved VERSION handling

by Stephen Gallagher

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patch 0001: Use a version.m4 file instead of VERSION to set the version and prerelease version. This is done so that automake/autoconf will automatically detect changes to the file and process them accordingly, rather than manually being forced to rerun autoreconf if you change the version/prerelease version. Patch 0002: Add a 'prerelease-srpms' target to the toplevel Makefile if it is a git checkout. This will allow us to easily generate the n-v-r for the prerelease version of the SRPMs, as is done on the various automated builders. Patch 0003: Add a 'prerelease-rpms' target to the toplevel Makefile to automatically set the n-v-r when building local RPMs. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktUc/QACgkQeiVVYja6o6O8WgCdFjWriT9+iGnpXzMrnSeUbguc X30An27EJeUOrhC1xJ/JdkpOQ4TIifO/ =PrNN -----END PGP SIGNATURE-----

14 years, 3 months

2
4
0 / 0

[PATCH] Add missing KRB5_LIBS

by Stephen Gallagher

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This was a bizarre bug. It was found by the Ubuntu packagers. On Fedora, we were providing an implicit dependency on -lkrb5 to the sssd_be binary through -lldb. On Ubuntu, there are no implicit dependencies, all deps must be specified manually. Fedora will be changing to this behavior in F13: http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking Anyway, the correct behavior here is to include KRB5_LIBS for libsss_krb5.so - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktXcdkACgkQeiVVYja6o6P+1ACeJfial5YWTjXo3TumlMRQHwos op0An3DWejPjK44WB39m+p3kbk8x8LdA =5L+a -----END PGP SIGNATURE-----

14 years, 3 months

2
2
0 / 0

[PATCH] Pointers to non 32 bit aligned data were being cast to uint32_t *

by George McCollister

uint32_t pointers must point to 32 bit aligned data on ARM. Instead of padding the data to force it into alignment I altered the code to memcpy the data to an aligned location. I'd appreciate any and all feedback especially on whether I took the best approach. pam_test_client auth and pam_test_client acct now work on my armeb-xscale-linux-gnueabi target. Signed-off-by: George McCollister <georgem(a)novatech-llc.com> --- server/responder/common/responder_cmd.c | 2 +- server/responder/pam/pamsrv_cmd.c | 18 +++++---- sss_client/pam_sss.c | 65 ++++++++++++++++++------------- 3 files changed, 49 insertions(+), 36 deletions(-) diff --git a/server/responder/common/responder_cmd.c b/server/responder/common/responder_cmd.c index 5d40d29..cd98903 100644 --- a/server/responder/common/responder_cmd.c +++ b/server/responder/common/responder_cmd.c @@ -56,7 +56,7 @@ int sss_cmd_get_version(struct cli_ctx *cctx) sss_packet_get_body(cctx->creq->in, &req_body, &req_blen); if (req_blen == sizeof(uint32_t)) { - client_version = (uint32_t ) *req_body; + memcpy(&client_version, req_body, sizeof(uint32_t)); DEBUG(5, ("Received client version [%d].\n", client_version)); i=0; diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 8a7ccd9..324ab83 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -37,12 +37,12 @@ static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_ if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; - data_size = ((uint32_t *)&body[*c])[0]; + memcpy(&data_size, &body[*c], sizeof(uint32_t)); *c += sizeof(uint32_t); if (data_size < sizeof(uint32_t) || (*c)+(data_size) > blen) return EINVAL; *size = data_size - sizeof(uint32_t); - *type = ((uint32_t *)&body[*c])[0]; + memcpy(type, &body[*c], sizeof(uint32_t)); *c += sizeof(uint32_t); *tok = body+(*c); @@ -58,7 +58,7 @@ static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { if (blen-(*c) < sizeof(uint32_t)+1) return EINVAL; - size = ((uint32_t *)&body[*c])[0]; + memcpy(&size, &body[*c], sizeof(uint32_t)); *c += sizeof(uint32_t); if (*c+size > blen) return EINVAL; @@ -78,10 +78,10 @@ static int extract_uint32_t(uint32_t *var, uint8_t *body, size_t blen, size_t *c if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; - size = ((uint32_t *)&body[*c])[0]; + memcpy(&size, &body[*c], sizeof(uint32_t)); *c += sizeof(uint32_t); - *var = ((uint32_t *)&body[*c])[0]; + memcpy(var, &body[*c], sizeof(uint32_t)); *c += sizeof(uint32_t); return EOK; @@ -96,17 +96,18 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, uint32_t size; char *pam_user; int ret; + uint32_t terminator = END_OF_PAM_REQUEST; if (blen < 4*sizeof(uint32_t)+2 || ((uint32_t *)body)[0] != START_OF_PAM_REQUEST || - ((uint32_t *)(&body[blen - sizeof(uint32_t)]))[0] != END_OF_PAM_REQUEST) { + memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) { DEBUG(1, ("Received data is invalid.\n")); return EINVAL; } c = sizeof(uint32_t); do { - type = ((uint32_t *)&body[c])[0]; + memcpy(&type, &body[c], sizeof(uint32_t)); c += sizeof(uint32_t); if (c > blen) return EINVAL; @@ -670,6 +671,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) size_t blen; int timeout; int ret; + uint32_t terminator = END_OF_PAM_REQUEST; preq = talloc_zero(cctx, struct pam_auth_req); if (!preq) { return ENOMEM; @@ -685,7 +687,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) sss_packet_get_body(cctx->creq->in, &body, &blen); if (blen >= sizeof(uint32_t) && - ((uint32_t *)(&body[blen - sizeof(uint32_t)]))[0] != END_OF_PAM_REQUEST) { + memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) { DEBUG(1, ("Received data not terminated.\n")); ret = EINVAL; goto done; diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c index 951a1dc..7dff361 100644 --- a/sss_client/pam_sss.c +++ b/sss_client/pam_sss.c @@ -105,16 +105,20 @@ static size_t add_authtok_item(enum pam_item_type type, const char *tok, const size_t size, uint8_t *buf) { size_t rp=0; + uint32_t c; if (tok == NULL) return 0; - ((uint32_t *)(&buf[rp]))[0] = type; + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); - ((uint32_t *)(&buf[rp]))[0] = size + sizeof(uint32_t); + c = size + sizeof(uint32_t); + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); - ((uint32_t *)(&buf[rp]))[0] = authtok_type; + c = authtok_type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); memcpy(&buf[rp], tok, size); @@ -127,15 +131,18 @@ static size_t add_authtok_item(enum pam_item_type type, static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, uint8_t *buf) { size_t rp=0; + uint32_t c; - - ((uint32_t *)(&buf[rp]))[0] = type; + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); - ((uint32_t *)(&buf[rp]))[0] = sizeof(uint32_t); + c = sizeof(uint32_t); + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); - ((uint32_t *)(&buf[rp]))[0] = val; + c = val; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); return rp; @@ -144,13 +151,16 @@ static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, static size_t add_string_item(enum pam_item_type type, const char *str, const size_t size, uint8_t *buf) { size_t rp=0; + uint32_t c; if (str == NULL || *str == '\0') return 0; - ((uint32_t *)(&buf[rp]))[0] = type; + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); - ((uint32_t *)(&buf[rp]))[0] = size; + c = size; + memcpy(&buf[rp], &c, sizeof(uint32_t)); rp += sizeof(uint32_t); memcpy(&buf[rp], str, size); @@ -179,6 +189,7 @@ static int pack_message_v3(struct pam_items *pi, size_t *size, int len; uint8_t *buf; int rp; + uint32_t terminator = END_OF_PAM_REQUEST; len = sizeof(uint32_t) + 2*sizeof(uint32_t) + pi->pam_user_size + @@ -231,7 +242,7 @@ static int pack_message_v3(struct pam_items *pi, size_t *size, pi->pam_newauthtok, pi->pam_newauthtok_size, &buf[rp]); - ((uint32_t *)(&buf[rp]))[0] = END_OF_PAM_REQUEST; + memcpy(&buf[rp], &terminator, sizeof(uint32_t)); rp += sizeof(uint32_t); if (rp != len) { @@ -362,43 +373,43 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) int ret; size_t p=0; char *env_item; - int32_t *c; - int32_t *type; - int32_t *len; - int32_t *pam_status; + int32_t c; + int32_t type; + int32_t len; + int32_t pam_status; if (buflen < (2*sizeof(int32_t))) { D(("response buffer is too small")); return PAM_BUF_ERR; } - pam_status = ((int32_t *)(buf+p)); + memcpy(&pam_status, buf+p, sizeof(int32_t)); p += sizeof(int32_t); - c = ((int32_t *)(buf+p)); + memcpy(&c, buf+p, sizeof(int32_t)); p += sizeof(int32_t); - while(*c>0) { + while(c>0) { if (buflen < (p+2*sizeof(int32_t))) { D(("response buffer is too small")); return PAM_BUF_ERR; } - type = ((int32_t *)(buf+p)); + memcpy(&type, buf+p, sizeof(int32_t)); p += sizeof(int32_t); - len = ((int32_t *)(buf+p)); + memcpy(&len, buf+p, sizeof(int32_t)); p += sizeof(int32_t); - if (buflen < (p + *len)) { + if (buflen < (p + len)) { D(("response buffer is too small")); return PAM_BUF_ERR; } - switch(*type) { + switch(type) { case PAM_USER_INFO: - if (buf[p + (*len -1)] != '\0') { + if (buf[p + (len -1)] != '\0') { D(("user info does not end with \\0.")); break; } @@ -410,13 +421,13 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) case ENV_ITEM: case PAM_ENV_ITEM: case ALL_ENV_ITEM: - if (buf[p + (*len -1)] != '\0') { + if (buf[p + (len -1)] != '\0') { D(("env item does not end with \\0.")); break; } D(("env item: [%s]", &buf[p])); - if (*type == PAM_ENV_ITEM || *type == ALL_ENV_ITEM) { + if (type == PAM_ENV_ITEM || type == ALL_ENV_ITEM) { ret = pam_putenv(pamh, (char *)&buf[p]); if (ret != PAM_SUCCESS) { D(("pam_putenv failed.")); @@ -424,7 +435,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) } } - if (*type == ENV_ITEM || *type == ALL_ENV_ITEM) { + if (type == ENV_ITEM || type == ALL_ENV_ITEM) { env_item = strdup((char *)&buf[p]); if (env_item == NULL) { D(("strdup failed")); @@ -438,9 +449,9 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf) } break; } - p += *len; + p += len; - --(*c); + --c; } return PAM_SUCCESS; -- 1.6.4.2

14 years, 3 months

1
0
0 / 0

[PATCH] Band-aid for handling very large DNS replies

by Stephen Gallagher

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 c-ares will fall back to TCP if the UDP lookup reply has the TRUNCATED flag set. Our mainloop integration is not properly handling the bidirectional TCP communication. c-ares can be configured to ignore the TRUNCATED flag and just work with the shortened list of responses it receives over UDP. This patch will implement that solution in the short-term while we try to solve the bigger integration issue. My efforts in the integration area seem to be implying that there may be a bug in c-ares itself where it's not properly informing the mainloop when it wants to write, so this may be a very long process. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktYdlgACgkQeiVVYja6o6PKYwCfVtG7edF+sJf1cEDy62palXYR k/QAn3B7jIC9XSDM6T6OdhEVZjnYqiws =Hl+m -----END PGP SIGNATURE-----

14 years, 3 months

1
1
0 / 0

[PATCH] Update the url in the spec files

by Sumit Bose

Hi, I just recognized that the url in the spec files is still pointing to freeipa. bye, Sumit

14 years, 3 months

3
2
0 / 0

[PATCH] For consideration: split libdhash off into a shared library

by Stephen Gallagher

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As we have been discussing lately, I looked into how difficult it would be to split our common tools into their own shared libraries. I experimented with dhash and found that it was pretty easy to do. (Thanks Automake and Libtool!) The attached patch builds libdhash as a .so and packages it in its own subpackage (and -devel subpackage). - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktGQIQACgkQeiVVYja6o6NfWgCcCoSCW8uTyQmGB7/sJWjhG7gs OvEAn23LTJXUoREDbAKYRl7xfattG0Fc =ei3d -----END PGP SIGNATURE-----

14 years, 3 months

2
7
0 / 0

[PATCH] sss_groupshow - a utility to print properties of a local group

by Jakub Hrozek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds a utility called sss_groupshow that allows user to print properties of a group in the local domain. Fixes: #306 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktQpEQACgkQHsardTLnvCWJ7gCdGkyJUBxaqOdgch8b+fx1hm3m Ib4AnivXR8Wtm+cAFBAMDVfNxoo9f94I =CuVC -----END PGP SIGNATURE-----

14 years, 3 months

4
10
0 / 0

[PATCH] Add sysdb request to authenticate against a cached password

by Sumit Bose

Hi, this patch move the validation against cached password from the PAM responder code to a sysdb tevent request. This allows e.g. the Kerberos provider to check a password on it own when offline. This is needed for features like 'kinit when going online' or 'automatic ticket renewal' where the Kerberos provider needs to keep the password in memory. I think this is no material for 1.0.x, but for 1.1.x. bye, Sumit

14 years, 3 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2010