AD interoperability
by Timo Aaltonen
Hi
I've understood that sssd still isn't fully tested against an Active
Directory? We've got one and I'm trying to make an Ubuntu linux client to
work with it by using samba, MIT krb5 libs and sssd. Things aren't going
too strong though. AD seems to support only HOST$ -style principals and
not SPN's, but even if I specify ldap_sasl_authid to that I only get an
"Invalid credentials" when the daemon is trying to bind
[sssd[be[AALTO]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: NEXUS6$
[sssd[be[AALTO]]] [sasl_bind_send] (1): ldap_sasl_bind failed (49)[Invalid credentials]
So, am I missing something or is there something to be fixed :)
--
Timo Aaltonen
Systems Specialist
IT Services, Aalto University School of Science and Technology
14 years, 3 months
[PATCHES] Collection, Ref Array, ELAPI
by Dmitri Pal
Hi,
This is resubmission of the two earlier withdrawn patches (Ref Array and
ELAPI) and addition of a new patch to collection.
For details see the patch comments.
Note about ELAPI patch: it is huge so it is zipped. This patch includes
the first cut of eliminating the elapi_test directory altogether. The
directory is not built any more so there is no need to spend much time
looking at the files that were updated in this directory. They will be
either removed in follow up patches or moved to elapi directory.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
14 years, 3 months
[PATCHES] Improved VERSION handling
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch 0001: Use a version.m4 file instead of VERSION to set the version
and prerelease version. This is done so that automake/autoconf will
automatically detect changes to the file and process them accordingly,
rather than manually being forced to rerun autoreconf if you change the
version/prerelease version.
Patch 0002: Add a 'prerelease-srpms' target to the toplevel Makefile if
it is a git checkout. This will allow us to easily generate the n-v-r
for the prerelease version of the SRPMs, as is done on the various
automated builders.
Patch 0003: Add a 'prerelease-rpms' target to the toplevel Makefile to
automatically set the n-v-r when building local RPMs.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktUc/QACgkQeiVVYja6o6O8WgCdFjWriT9+iGnpXzMrnSeUbguc
X30An27EJeUOrhC1xJ/JdkpOQ4TIifO/
=PrNN
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Add missing KRB5_LIBS
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This was a bizarre bug. It was found by the Ubuntu packagers. On Fedora,
we were providing an implicit dependency on -lkrb5 to the sssd_be binary
through -lldb. On Ubuntu, there are no implicit dependencies, all deps
must be specified manually.
Fedora will be changing to this behavior in F13:
http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking
Anyway, the correct behavior here is to include KRB5_LIBS for libsss_krb5.so
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktXcdkACgkQeiVVYja6o6P+1ACeJfial5YWTjXo3TumlMRQHwos
op0An3DWejPjK44WB39m+p3kbk8x8LdA
=5L+a
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Pointers to non 32 bit aligned data were being cast to uint32_t *
by George McCollister
uint32_t pointers must point to 32 bit aligned data on ARM. Instead of padding the data to force it into alignment I altered the code to memcpy the data to an aligned location. I'd appreciate any and all feedback especially on whether I took the best approach.
pam_test_client auth and pam_test_client acct now work on my armeb-xscale-linux-gnueabi target.
Signed-off-by: George McCollister <georgem(a)novatech-llc.com>
---
server/responder/common/responder_cmd.c | 2 +-
server/responder/pam/pamsrv_cmd.c | 18 +++++----
sss_client/pam_sss.c | 65 ++++++++++++++++++-------------
3 files changed, 49 insertions(+), 36 deletions(-)
diff --git a/server/responder/common/responder_cmd.c b/server/responder/common/responder_cmd.c
index 5d40d29..cd98903 100644
--- a/server/responder/common/responder_cmd.c
+++ b/server/responder/common/responder_cmd.c
@@ -56,7 +56,7 @@ int sss_cmd_get_version(struct cli_ctx *cctx)
sss_packet_get_body(cctx->creq->in, &req_body, &req_blen);
if (req_blen == sizeof(uint32_t)) {
- client_version = (uint32_t ) *req_body;
+ memcpy(&client_version, req_body, sizeof(uint32_t));
DEBUG(5, ("Received client version [%d].\n", client_version));
i=0;
diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 8a7ccd9..324ab83 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -37,12 +37,12 @@ static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_
if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL;
- data_size = ((uint32_t *)&body[*c])[0];
+ memcpy(&data_size, &body[*c], sizeof(uint32_t));
*c += sizeof(uint32_t);
if (data_size < sizeof(uint32_t) || (*c)+(data_size) > blen) return EINVAL;
*size = data_size - sizeof(uint32_t);
- *type = ((uint32_t *)&body[*c])[0];
+ memcpy(type, &body[*c], sizeof(uint32_t));
*c += sizeof(uint32_t);
*tok = body+(*c);
@@ -58,7 +58,7 @@ static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) {
if (blen-(*c) < sizeof(uint32_t)+1) return EINVAL;
- size = ((uint32_t *)&body[*c])[0];
+ memcpy(&size, &body[*c], sizeof(uint32_t));
*c += sizeof(uint32_t);
if (*c+size > blen) return EINVAL;
@@ -78,10 +78,10 @@ static int extract_uint32_t(uint32_t *var, uint8_t *body, size_t blen, size_t *c
if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL;
- size = ((uint32_t *)&body[*c])[0];
+ memcpy(&size, &body[*c], sizeof(uint32_t));
*c += sizeof(uint32_t);
- *var = ((uint32_t *)&body[*c])[0];
+ memcpy(var, &body[*c], sizeof(uint32_t));
*c += sizeof(uint32_t);
return EOK;
@@ -96,17 +96,18 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx,
uint32_t size;
char *pam_user;
int ret;
+ uint32_t terminator = END_OF_PAM_REQUEST;
if (blen < 4*sizeof(uint32_t)+2 ||
((uint32_t *)body)[0] != START_OF_PAM_REQUEST ||
- ((uint32_t *)(&body[blen - sizeof(uint32_t)]))[0] != END_OF_PAM_REQUEST) {
+ memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) {
DEBUG(1, ("Received data is invalid.\n"));
return EINVAL;
}
c = sizeof(uint32_t);
do {
- type = ((uint32_t *)&body[c])[0];
+ memcpy(&type, &body[c], sizeof(uint32_t));
c += sizeof(uint32_t);
if (c > blen) return EINVAL;
@@ -670,6 +671,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
size_t blen;
int timeout;
int ret;
+ uint32_t terminator = END_OF_PAM_REQUEST;
preq = talloc_zero(cctx, struct pam_auth_req);
if (!preq) {
return ENOMEM;
@@ -685,7 +687,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
sss_packet_get_body(cctx->creq->in, &body, &blen);
if (blen >= sizeof(uint32_t) &&
- ((uint32_t *)(&body[blen - sizeof(uint32_t)]))[0] != END_OF_PAM_REQUEST) {
+ memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) {
DEBUG(1, ("Received data not terminated.\n"));
ret = EINVAL;
goto done;
diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c
index 951a1dc..7dff361 100644
--- a/sss_client/pam_sss.c
+++ b/sss_client/pam_sss.c
@@ -105,16 +105,20 @@ static size_t add_authtok_item(enum pam_item_type type,
const char *tok, const size_t size,
uint8_t *buf) {
size_t rp=0;
+ uint32_t c;
if (tok == NULL) return 0;
- ((uint32_t *)(&buf[rp]))[0] = type;
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
- ((uint32_t *)(&buf[rp]))[0] = size + sizeof(uint32_t);
+ c = size + sizeof(uint32_t);
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
- ((uint32_t *)(&buf[rp]))[0] = authtok_type;
+ c = authtok_type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
memcpy(&buf[rp], tok, size);
@@ -127,15 +131,18 @@ static size_t add_authtok_item(enum pam_item_type type,
static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
uint8_t *buf) {
size_t rp=0;
+ uint32_t c;
-
- ((uint32_t *)(&buf[rp]))[0] = type;
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
- ((uint32_t *)(&buf[rp]))[0] = sizeof(uint32_t);
+ c = sizeof(uint32_t);
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
- ((uint32_t *)(&buf[rp]))[0] = val;
+ c = val;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
return rp;
@@ -144,13 +151,16 @@ static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
static size_t add_string_item(enum pam_item_type type, const char *str,
const size_t size, uint8_t *buf) {
size_t rp=0;
+ uint32_t c;
if (str == NULL || *str == '\0') return 0;
- ((uint32_t *)(&buf[rp]))[0] = type;
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
- ((uint32_t *)(&buf[rp]))[0] = size;
+ c = size;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
rp += sizeof(uint32_t);
memcpy(&buf[rp], str, size);
@@ -179,6 +189,7 @@ static int pack_message_v3(struct pam_items *pi, size_t *size,
int len;
uint8_t *buf;
int rp;
+ uint32_t terminator = END_OF_PAM_REQUEST;
len = sizeof(uint32_t) +
2*sizeof(uint32_t) + pi->pam_user_size +
@@ -231,7 +242,7 @@ static int pack_message_v3(struct pam_items *pi, size_t *size,
pi->pam_newauthtok, pi->pam_newauthtok_size,
&buf[rp]);
- ((uint32_t *)(&buf[rp]))[0] = END_OF_PAM_REQUEST;
+ memcpy(&buf[rp], &terminator, sizeof(uint32_t));
rp += sizeof(uint32_t);
if (rp != len) {
@@ -362,43 +373,43 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf)
int ret;
size_t p=0;
char *env_item;
- int32_t *c;
- int32_t *type;
- int32_t *len;
- int32_t *pam_status;
+ int32_t c;
+ int32_t type;
+ int32_t len;
+ int32_t pam_status;
if (buflen < (2*sizeof(int32_t))) {
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
- pam_status = ((int32_t *)(buf+p));
+ memcpy(&pam_status, buf+p, sizeof(int32_t));
p += sizeof(int32_t);
- c = ((int32_t *)(buf+p));
+ memcpy(&c, buf+p, sizeof(int32_t));
p += sizeof(int32_t);
- while(*c>0) {
+ while(c>0) {
if (buflen < (p+2*sizeof(int32_t))) {
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
- type = ((int32_t *)(buf+p));
+ memcpy(&type, buf+p, sizeof(int32_t));
p += sizeof(int32_t);
- len = ((int32_t *)(buf+p));
+ memcpy(&len, buf+p, sizeof(int32_t));
p += sizeof(int32_t);
- if (buflen < (p + *len)) {
+ if (buflen < (p + len)) {
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
- switch(*type) {
+ switch(type) {
case PAM_USER_INFO:
- if (buf[p + (*len -1)] != '\0') {
+ if (buf[p + (len -1)] != '\0') {
D(("user info does not end with \\0."));
break;
}
@@ -410,13 +421,13 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf)
case ENV_ITEM:
case PAM_ENV_ITEM:
case ALL_ENV_ITEM:
- if (buf[p + (*len -1)] != '\0') {
+ if (buf[p + (len -1)] != '\0') {
D(("env item does not end with \\0."));
break;
}
D(("env item: [%s]", &buf[p]));
- if (*type == PAM_ENV_ITEM || *type == ALL_ENV_ITEM) {
+ if (type == PAM_ENV_ITEM || type == ALL_ENV_ITEM) {
ret = pam_putenv(pamh, (char *)&buf[p]);
if (ret != PAM_SUCCESS) {
D(("pam_putenv failed."));
@@ -424,7 +435,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf)
}
}
- if (*type == ENV_ITEM || *type == ALL_ENV_ITEM) {
+ if (type == ENV_ITEM || type == ALL_ENV_ITEM) {
env_item = strdup((char *)&buf[p]);
if (env_item == NULL) {
D(("strdup failed"));
@@ -438,9 +449,9 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf)
}
break;
}
- p += *len;
+ p += len;
- --(*c);
+ --c;
}
return PAM_SUCCESS;
--
1.6.4.2
14 years, 3 months
[PATCH] Band-aid for handling very large DNS replies
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
c-ares will fall back to TCP if the UDP lookup reply has the TRUNCATED
flag set. Our mainloop integration is not properly handling the
bidirectional TCP communication.
c-ares can be configured to ignore the TRUNCATED flag and just work with
the shortened list of responses it receives over UDP. This patch will
implement that solution in the short-term while we try to solve the
bigger integration issue.
My efforts in the integration area seem to be implying that there may be
a bug in c-ares itself where it's not properly informing the mainloop
when it wants to write, so this may be a very long process.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktYdlgACgkQeiVVYja6o6PKYwCfVtG7edF+sJf1cEDy62palXYR
k/QAn3B7jIC9XSDM6T6OdhEVZjnYqiws
=Hl+m
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] For consideration: split libdhash off into a shared library
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As we have been discussing lately, I looked into how difficult it would
be to split our common tools into their own shared libraries. I
experimented with dhash and found that it was pretty easy to do. (Thanks
Automake and Libtool!)
The attached patch builds libdhash as a .so and packages it in its own
subpackage (and -devel subpackage).
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktGQIQACgkQeiVVYja6o6NfWgCcCoSCW8uTyQmGB7/sJWjhG7gs
OvEAn23LTJXUoREDbAKYRl7xfattG0Fc
=ei3d
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] sss_groupshow - a utility to print properties of a local group
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch adds a utility called sss_groupshow that allows user to
print properties of a group in the local domain.
Fixes: #306
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktQpEQACgkQHsardTLnvCWJ7gCdGkyJUBxaqOdgch8b+fx1hm3m
Ib4AnivXR8Wtm+cAFBAMDVfNxoo9f94I
=CuVC
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Add sysdb request to authenticate against a cached password
by Sumit Bose
Hi,
this patch move the validation against cached password from the PAM
responder code to a sysdb tevent request. This allows e.g. the Kerberos
provider to check a password on it own when offline. This is needed for
features like 'kinit when going online' or 'automatic ticket renewal'
where the Kerberos provider needs to keep the password in memory.
I think this is no material for 1.0.x, but for 1.1.x.
bye,
Sumit
14 years, 3 months