sssd-devel October 2010

sssd-devel@lists.fedorahosted.org

14 participants
65 discussions

Start a nNew thread

[PATCH] Fix a typo in dhash.h
by Sumit Bose 21 Oct '10

21 Oct '10

Hi, just a typo. bye, Sumit

2 1

[PATCH] Convert krb5_kdcip option to krb5_server
by Jan Zelený 19 Oct '10

19 Oct '10

Based on Jakub's proof-of-concept patch I prepared a patch which handles this option replacement. As it was discussed on the meeting couple weeks back, I didn't modify the update script (I hope I remember this requirement modification right) and in case both krb5_kdcip and krb5_server options are in the config file, the latter one has bigger priority. Jan

2 8

[PATCH] Write log opening failures to the syslog
by Stephen Gallagher 19 Oct '10

19 Oct '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If there is a problem with reopening the logs, it can be an audit trail issue. Make sure we log this in the syslog. Previously we were trying to write this to the debug log that we just proved couldn't be opened :-( - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky98IYACgkQeiVVYja6o6PzYgCfdy38nA9GRohEl6sh+Qk3oY81 2nsAn2y20/Z56zPXo8tMDAx0mBOCeWfX =cdtq -----END PGP SIGNATURE-----

2 2

[Transifex] File submitted via email to SSSD | master
by admin＠transifex.net 19 Oct '10

19 Oct '10

Hello sssd, this is Transifex at http://www.transifex.net. The following attached files were submitted to SSSD | master by raven <piotrdrag(a)gmail.com> Please, visit Transifex at http://www.transifex.net/projects/p/sssd/c/master/ in order to see the component page. Thank you, Transifex

2 1

create_homedir and ldap domain
by Eric Doutreleau 19 Oct '10

19 Oct '10

i m still using sssd 1.3 and in my ldap domain i have put the following statement create_homedir = False but the homedir is still created if it doesn't exist. can i use this directive for an ldap domain?

3 3

Re: [SSSD] [RFC][PATCH] Add new getgrgid2(), getgrnam2() interfaces to glibc
by Stephen Gallagher 19 Oct '10

19 Oct '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/18/2010 07:42 PM, Petr Baudis wrote: > This RFC patch adds support for new interfaces: getgrgid2(), > getgrnam2() and their *_r() variants. These interfaces allow > the user to specify whether the group.gr_mem field shall be > filled in. > > The issue we are trying to solve is that needlessly high load is > generated in large deployments with NIS/LDAP user groups with possibly > thousands of members. Even when nscd is used, the information is > requested and transferred frequently even when there never arises > any real use for the huge lists of members at the node at all. > > We have looked at some commonly used applications and e.g. for a normal > desktop, if some basic utilities and file managers would be trivially > modified to use the new interface, the full lists of users in a group > would never have to be downloaded. Right now, even ls will trigger > getting full lists of users in all groups it encounters. Moreover, e.g. > the sssd guys are reportedly trying to solve this problem by evil hacks > like randomly not filling or only partially filling the gr_mem field. > Actually, your information is a little bit incorrect. We recently discovered that we had a few bugs in SSSD that were causing us to only present a subset of the gr_mem field. This was entirely incorrect, and as of SSSD 1.2.4 and 1.4.0 we have rectified this problem. The way we do things in SSSD is, however, designed to significantly reduce the load on LDAP servers. When we perform a group lookup with getgrnam() or getgrgid(), we request ONLY this group from the LDAP server. What we then do on our client-side is to create in our cache mechanism a series of "fake" users in our data store. These users will be reported back to getgrnam(), but they are not separately looked up and populated with their complete user information unless they are directly requested by a getpwnam() or getpwid() request. The net result is that we will report all of the users that belong in a group, but we will not make additional requests to populate those users unless they are directly requested. Yes, for groups that have many thousands of users, we may make a single request that transfers a couple hundred kilobytes, but we do not make subsequent requests for each of those users in turn. RFC2307bis servers require slightly more processing, as we need to make multiple requests to LDAP if there are nested groups in play. But we never make more requests than the configured nesting limit. > Any comments on the API are welcome, including thoughts on how to > make it more elegant. Originally, I wanted to implement it as > gid_t getgidbyname(const char *name) etc., but I would have to redo > some parts of the NSS infrastructure to easily allow returning gid_t > instead of a struct. > > If there is a consensus that this is a good idea and Ulrich gives his > blessing, I will of course extend the patch to be compatible with older > NSS modules and add NIS support and nscd support. > I'm really not sure what the value of this approach is. Realistically, you're talking about creating an interface whose sole purpose is to map GID<->groupname and nothing else? I'm not sure there's sufficient value in this approach, given that it's possible as described above to limit the network requests. I think it makes much more sense to guide the respective name-service providers along the path of handling these requests more efficiently. I'm expanding this mailing to include the sssd-devel list for broader discussion. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky9iTYACgkQeiVVYja6o6PwsACaAsWK6+lv/jsVLqQJhsml00hB z8IAni+cKfv2z9PNWLSe6qKO8Ol/KP53 =PeBB -----END PGP SIGNATURE-----

3 4

Announcing SSSD 1.4.0
by Stephen Gallagher 19 Oct '10

19 Oct '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The SSSD team proudly announces the release of the System Security Services Daemon version 1.4.0. As always, SSSD 1.4.0 can be downloaded at https://fedorahosted.org/sssd == Highlights == * Added support for netgroups to the LDAP provider * Performance improvements made to group processing of RFC2307 LDAP servers * Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin * Build-system improvements to support Gentoo * Split out several libraries into the ding-libs tarball * Manpage reviewed and updated == Detailed Changelog == Jakub Hrozek (30): * Fix wrong return value in HBAC time rules evaluation * Package systemd unit file * Move crypto functions into its own subdir * Add safe copy/move macros for uint16_t * Password obfuscation utility functions * Fix pysss linking * Python bindings for obfuscation * sss_obfuscate tool * Deobfuscate password in back ends * Fix assorted minor bugs in sss_ tools * Fix parameter order when initializing decryption * Revert "Make ldap bind asynchronous" * Define objectclass with a constant * Use a different min_id for local domain * Add parameter to skip cleanup in sysdb test * Fix sysdb_group_dn_name * Fix sysdb_attrs_to_list * Request the correct attribute name * Add KDC to the list of LDAP options * Report Kerberos error code from ldap_child_get_tgt_sync * Make ldap_child report kerberos return code to parent * Initialize kerberos service for GSSAPI * Check for GSSAPI before attempting to kinit * Add sysdb_attrs_get_ulong utility function * sysdb interface for adding incomplete groups * Save dummy groups to cache during initgroups * sysdb interface for adding fake users * Save dummy member users during RFC2307 getgr{nam,gid} * Use unsigned long for conversion to id_t * set in_transaction explicitly to false Jan Zeleny (14): * Initialized return value in dp_copy_options() * Fixed potential comparison of undefined variable * Fixed printing of undefined value in sdap_async_accounts.c * Fixed uninialized value in proxy_id provider * Cleaned some dead assignments * Reviewed sssd-ldap man page * Fixed small issue in memory context hierarchy * Dead assignments cleanup in providers code * Dead assignments cleanup in NSS responder * Dead assignments cleanup in memberof module * Dead assignments cleanup in various places in SSSD * Disable events on ldap fd when offline. * Man pages should mention supported providers * Move all references to ldap_<entity>_search_base to "advanced" section Martin Nagy (1): * Make ldap bind asynchronous Maxim (6): * Fix building sssd * Fix configure check for ldb * Add gentoo distrubutions * Add custom pam module dir * Add gentoo-specific init dir * Remove useless /etc/dbus-1/system.d directory from installation Ralf Haferkamp (2): * Shortcut for save_group() to accept sysdb DNs as member attributes * Return all group members from getgr(nam|gid) Simo Sorce (2): * Check if control is supported before using it. * Add option to limit nested groups Stephen Gallagher (36): * Fix chpass operations with LDAP provider * Remove common directory * Rewrite toplevel Makefile * Build SSSD RPMs with external libraries * Remove src/Makefile.am and src/configure.ac * Don't build SSSDConfig API when configured with --without-python-bindings * Treat a zero-length password as a failure * Properly handle errors from a password change operation * Handle multiple simultaneous enumeration requests * Remove generated manpages when performing "make clean" * Request all group attributes during initgroups processing * Fix missing variable substitution in DEBUG message * Initgroups on a non-cached user should go to the data provider * Fix assorted specfile issues * Initialize debug_level to zero in crypto tests * Return offline instead of error * Add common hash table setup * Add utility function sss_strnlen() * Store entry_cache_timeout in sss_domain_info object * Require explicit setting of callback context for check_cache * Netgroups sysdb API * netgroup tests * Rename group.c and passwd.c for clarity * Add support for netgroups to NSS sss_client * Add negative cache features for netgroups * Split out some helper functions for the NSS responder * Add netgroup support to the NSS responder * Rename upgrade_config.py and build it properly * Assorted specfile changes * Make sdap_save_users_send handle zero users gracefully * Handle nested groups in RFC2307bis * Modify sysdb_[add|remove]_group_member to accept users and groups * Add proper nested initgroup support for RFC2307bis servers * Updating translation files for release * Fix 'make distcheck' for XML documentation * Updating version for SSSD 1.4.0 release Sumit Bose (21): * Store rootdse supported features in sdap_handler * Handle host objects like other objects * Save all data to sysdb in one transaction * Use new MIT krb5 API for better password expiration warnings * Suppress some 'may be used uninitialized' warnings * Suppress some 'unchecked return value' warnings * Use POPT_TABLEEND to close option table * Add a missing include file * Rename index to idx * Distribute XML sources instead of man-pages * Remove unused defines * Raise the required version of libdhash * Add missing tevent_req_done() * Return NSS_STATUS_RETURN instead of NSS_STATUS_NOTFOUND * Add handling of nested netgroups to nss client * Do not fail if netgroup exists just update the attributes * Add sysdb_netgroup_base_dn() * Also return member groups to the client * Add infrastructure to LDAP provider for netgroup support * Implement netgroup support for LDAP provider * Avoid a global variable in netgroup client. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8lt4ACgkQeiVVYja6o6NC+QCfTYv7LhCuNnZQ5coLwqkoQ2/K zn4An3ah9ZOi2eu+E8ETZRgoY8lw0gRk =x48f -----END PGP SIGNATURE-----

2 2

[PATCH] Serialize authentication requests
by Jan Zelený 19 Oct '10

19 Oct '10

I'm sending a patch which is resolving ticket #533 by implementing a hash table into the PAM responder. For testing I followed this approach: 0) Configure sssd to use RH LDAP and KRB 1) Activate shaping on the host computer tc qdisc add dev eth0 root netem delay 2s 2) Run 2 separate shells with non-root user logged in 3) In both shells run su - <login> simultaneously 4) When asked for password, type in your password, but don't hit enter 5) When you have a password typed in both shells, hit enter in the first one, quickly switch to the other one and hit enter there (you should have 2s window to do this) In both shells you should be logged in as <login> and you should have the same ticket cache file. Something about the concept: I took it from NSS responder (or rather the common part, which retrieves information about user) as suggested in the ticket. But as Jakub pointed out to me, it is questionable whether we want to invoke all associated callbacks by scheduling them on the same time. The easier alternative is to call them all one after another in a cycle. I suppose it was implemented this way so it doesn't take long to forward all associated replies and other requests from PAM module can be served. Am I right? Or would it be better to re-write the patch and use the cycle instead? Thanks Jan

2 1

[PATCH] Fix 'make distcheck' for XML documentation
by Stephen Gallagher 18 Oct '10

18 Oct '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A missing $(srcdir) variable was preventing 'make distcheck' from working if run from a parallel build directory. Pushed to master under one-liner rule. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8h60ACgkQeiVVYja6o6PdvQCgkceGP453nkQFctPdV2p3R8Yi yFwAmwffOv4jUQ4WviucoUxnXWA0LC2M =25Tt -----END PGP SIGNATURE-----

1 0

[PATCH] set in_transaction explicitly to false
by Jakub Hrozek 18 Oct '10

18 Oct '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I didn't hit this in development as I was running with -O0.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky4brYACgkQHsardTLnvCXTVQCfcmvQY0Nhk/NqFZAJDSC3buTU IT8An14UJEu8KAEruaj5XFcDlDwA2tqd =YzGW -----END PGP SIGNATURE-----

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2010