[PATCH] Convert krb5_kdcip option to krb5_server
by Jan Zelený
Based on Jakub's proof-of-concept patch I prepared a patch which handles this
option replacement. As it was discussed on the meeting couple weeks back, I
didn't modify the update script (I hope I remember this requirement
modification right) and in case both krb5_kdcip and krb5_server options are in
the config file, the latter one has bigger priority.
Jan
12 years, 11 months
[PATCH] Write log opening failures to the syslog
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If there is a problem with reopening the logs, it can be an audit
trail issue. Make sure we log this in the syslog. Previously we were
trying to write this to the debug log that we just proved couldn't be
opened :-(
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky98IYACgkQeiVVYja6o6PzYgCfdy38nA9GRohEl6sh+Qk3oY81
2nsAn2y20/Z56zPXo8tMDAx0mBOCeWfX
=cdtq
-----END PGP SIGNATURE-----
12 years, 11 months
create_homedir and ldap domain
by Eric Doutreleau
i m still using sssd 1.3 and in my ldap domain i have put the following
statement
create_homedir = False
but the homedir is still created if it doesn't exist.
can i use this directive for an ldap domain?
12 years, 11 months
Re: [SSSD] [RFC][PATCH] Add new getgrgid2(), getgrnam2() interfaces to glibc
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/18/2010 07:42 PM, Petr Baudis wrote:
> This RFC patch adds support for new interfaces: getgrgid2(),
> getgrnam2() and their *_r() variants. These interfaces allow
> the user to specify whether the group.gr_mem field shall be
> filled in.
>
> The issue we are trying to solve is that needlessly high load is
> generated in large deployments with NIS/LDAP user groups with possibly
> thousands of members. Even when nscd is used, the information is
> requested and transferred frequently even when there never arises
> any real use for the huge lists of members at the node at all.
>
> We have looked at some commonly used applications and e.g. for a normal
> desktop, if some basic utilities and file managers would be trivially
> modified to use the new interface, the full lists of users in a group
> would never have to be downloaded. Right now, even ls will trigger
> getting full lists of users in all groups it encounters. Moreover, e.g.
> the sssd guys are reportedly trying to solve this problem by evil hacks
> like randomly not filling or only partially filling the gr_mem field.
>
Actually, your information is a little bit incorrect. We recently
discovered that we had a few bugs in SSSD that were causing us to only
present a subset of the gr_mem field. This was entirely incorrect, and
as of SSSD 1.2.4 and 1.4.0 we have rectified this problem.
The way we do things in SSSD is, however, designed to significantly
reduce the load on LDAP servers. When we perform a group lookup with
getgrnam() or getgrgid(), we request ONLY this group from the LDAP
server. What we then do on our client-side is to create in our cache
mechanism a series of "fake" users in our data store. These users will
be reported back to getgrnam(), but they are not separately looked up
and populated with their complete user information unless they are
directly requested by a getpwnam() or getpwid() request.
The net result is that we will report all of the users that belong in a
group, but we will not make additional requests to populate those users
unless they are directly requested.
Yes, for groups that have many thousands of users, we may make a single
request that transfers a couple hundred kilobytes, but we do not make
subsequent requests for each of those users in turn.
RFC2307bis servers require slightly more processing, as we need to make
multiple requests to LDAP if there are nested groups in play. But we
never make more requests than the configured nesting limit.
> Any comments on the API are welcome, including thoughts on how to
> make it more elegant. Originally, I wanted to implement it as
> gid_t getgidbyname(const char *name) etc., but I would have to redo
> some parts of the NSS infrastructure to easily allow returning gid_t
> instead of a struct.
>
> If there is a consensus that this is a good idea and Ulrich gives his
> blessing, I will of course extend the patch to be compatible with older
> NSS modules and add NIS support and nscd support.
>
I'm really not sure what the value of this approach is. Realistically,
you're talking about creating an interface whose sole purpose is to map
GID<->groupname and nothing else?
I'm not sure there's sufficient value in this approach, given that it's
possible as described above to limit the network requests. I think it
makes much more sense to guide the respective name-service providers
along the path of handling these requests more efficiently.
I'm expanding this mailing to include the sssd-devel list for broader
discussion.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky9iTYACgkQeiVVYja6o6PwsACaAsWK6+lv/jsVLqQJhsml00hB
z8IAni+cKfv2z9PNWLSe6qKO8Ol/KP53
=PeBB
-----END PGP SIGNATURE-----
12 years, 11 months
Announcing SSSD 1.4.0
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SSSD team proudly announces the release of the System Security
Services Daemon version 1.4.0.
As always, SSSD 1.4.0 can be downloaded at https://fedorahosted.org/sssd
== Highlights ==
* Added support for netgroups to the LDAP provider
* Performance improvements made to group processing of RFC2307 LDAP servers
* Fixed nested group issues with RFC2307bis LDAP servers without a
memberOf plugin
* Build-system improvements to support Gentoo
* Split out several libraries into the ding-libs tarball
* Manpage reviewed and updated
== Detailed Changelog ==
Jakub Hrozek (30):
* Fix wrong return value in HBAC time rules evaluation
* Package systemd unit file
* Move crypto functions into its own subdir
* Add safe copy/move macros for uint16_t
* Password obfuscation utility functions
* Fix pysss linking
* Python bindings for obfuscation
* sss_obfuscate tool
* Deobfuscate password in back ends
* Fix assorted minor bugs in sss_ tools
* Fix parameter order when initializing decryption
* Revert "Make ldap bind asynchronous"
* Define objectclass with a constant
* Use a different min_id for local domain
* Add parameter to skip cleanup in sysdb test
* Fix sysdb_group_dn_name
* Fix sysdb_attrs_to_list
* Request the correct attribute name
* Add KDC to the list of LDAP options
* Report Kerberos error code from ldap_child_get_tgt_sync
* Make ldap_child report kerberos return code to parent
* Initialize kerberos service for GSSAPI
* Check for GSSAPI before attempting to kinit
* Add sysdb_attrs_get_ulong utility function
* sysdb interface for adding incomplete groups
* Save dummy groups to cache during initgroups
* sysdb interface for adding fake users
* Save dummy member users during RFC2307 getgr{nam,gid}
* Use unsigned long for conversion to id_t
* set in_transaction explicitly to false
Jan Zeleny (14):
* Initialized return value in dp_copy_options()
* Fixed potential comparison of undefined variable
* Fixed printing of undefined value in sdap_async_accounts.c
* Fixed uninialized value in proxy_id provider
* Cleaned some dead assignments
* Reviewed sssd-ldap man page
* Fixed small issue in memory context hierarchy
* Dead assignments cleanup in providers code
* Dead assignments cleanup in NSS responder
* Dead assignments cleanup in memberof module
* Dead assignments cleanup in various places in SSSD
* Disable events on ldap fd when offline.
* Man pages should mention supported providers
* Move all references to ldap_<entity>_search_base to "advanced" section
Martin Nagy (1):
* Make ldap bind asynchronous
Maxim (6):
* Fix building sssd
* Fix configure check for ldb
* Add gentoo distrubutions
* Add custom pam module dir
* Add gentoo-specific init dir
* Remove useless /etc/dbus-1/system.d directory from installation
Ralf Haferkamp (2):
* Shortcut for save_group() to accept sysdb DNs as member attributes
* Return all group members from getgr(nam|gid)
Simo Sorce (2):
* Check if control is supported before using it.
* Add option to limit nested groups
Stephen Gallagher (36):
* Fix chpass operations with LDAP provider
* Remove common directory
* Rewrite toplevel Makefile
* Build SSSD RPMs with external libraries
* Remove src/Makefile.am and src/configure.ac
* Don't build SSSDConfig API when configured with --without-python-bindings
* Treat a zero-length password as a failure
* Properly handle errors from a password change operation
* Handle multiple simultaneous enumeration requests
* Remove generated manpages when performing "make clean"
* Request all group attributes during initgroups processing
* Fix missing variable substitution in DEBUG message
* Initgroups on a non-cached user should go to the data provider
* Fix assorted specfile issues
* Initialize debug_level to zero in crypto tests
* Return offline instead of error
* Add common hash table setup
* Add utility function sss_strnlen()
* Store entry_cache_timeout in sss_domain_info object
* Require explicit setting of callback context for check_cache
* Netgroups sysdb API
* netgroup tests
* Rename group.c and passwd.c for clarity
* Add support for netgroups to NSS sss_client
* Add negative cache features for netgroups
* Split out some helper functions for the NSS responder
* Add netgroup support to the NSS responder
* Rename upgrade_config.py and build it properly
* Assorted specfile changes
* Make sdap_save_users_send handle zero users gracefully
* Handle nested groups in RFC2307bis
* Modify sysdb_[add|remove]_group_member to accept users and groups
* Add proper nested initgroup support for RFC2307bis servers
* Updating translation files for release
* Fix 'make distcheck' for XML documentation
* Updating version for SSSD 1.4.0 release
Sumit Bose (21):
* Store rootdse supported features in sdap_handler
* Handle host objects like other objects
* Save all data to sysdb in one transaction
* Use new MIT krb5 API for better password expiration warnings
* Suppress some 'may be used uninitialized' warnings
* Suppress some 'unchecked return value' warnings
* Use POPT_TABLEEND to close option table
* Add a missing include file
* Rename index to idx
* Distribute XML sources instead of man-pages
* Remove unused defines
* Raise the required version of libdhash
* Add missing tevent_req_done()
* Return NSS_STATUS_RETURN instead of NSS_STATUS_NOTFOUND
* Add handling of nested netgroups to nss client
* Do not fail if netgroup exists just update the attributes
* Add sysdb_netgroup_base_dn()
* Also return member groups to the client
* Add infrastructure to LDAP provider for netgroup support
* Implement netgroup support for LDAP provider
* Avoid a global variable in netgroup client.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8lt4ACgkQeiVVYja6o6NC+QCfTYv7LhCuNnZQ5coLwqkoQ2/K
zn4An3ah9ZOi2eu+E8ETZRgoY8lw0gRk
=x48f
-----END PGP SIGNATURE-----
12 years, 11 months
[PATCH] Serialize authentication requests
by Jan Zelený
I'm sending a patch which is resolving ticket #533 by implementing a hash
table into the PAM responder.
For testing I followed this approach:
0) Configure sssd to use RH LDAP and KRB
1) Activate shaping on the host computer
tc qdisc add dev eth0 root netem delay 2s
2) Run 2 separate shells with non-root user logged in
3) In both shells run su - <login> simultaneously
4) When asked for password, type in your password, but don't hit enter
5) When you have a password typed in both shells, hit enter in the first one,
quickly switch to the other one and hit enter there (you should have 2s window
to do this)
In both shells you should be logged in as <login> and you should have the same
ticket cache file.
Something about the concept: I took it from NSS responder (or rather the
common part, which retrieves information about user) as suggested in the
ticket. But as Jakub pointed out to me, it is questionable whether we want to
invoke all associated callbacks by scheduling them on the same time. The
easier alternative is to call them all one after another in a cycle. I suppose
it was implemented this way so it doesn't take long to forward all associated
replies and other requests from PAM module can be served. Am I right? Or would
it be better to re-write the patch and use the cycle instead?
Thanks
Jan
12 years, 11 months
[PATCH] Fix 'make distcheck' for XML documentation
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A missing $(srcdir) variable was preventing 'make distcheck' from
working if run from a parallel build directory.
Pushed to master under one-liner rule.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8h60ACgkQeiVVYja6o6PdvQCgkceGP453nkQFctPdV2p3R8Yi
yFwAmwffOv4jUQ4WviucoUxnXWA0LC2M
=25Tt
-----END PGP SIGNATURE-----
12 years, 11 months
[PATCH] set in_transaction explicitly to false
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I didn't hit this in development as I was running with -O0..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky4brYACgkQHsardTLnvCXTVQCfcmvQY0Nhk/NqFZAJDSC3buTU
IT8An14UJEu8KAEruaj5XFcDlDwA2tqd
=YzGW
-----END PGP SIGNATURE-----
12 years, 11 months