sssd-devel February 2011

sssd-devel@lists.fedorahosted.org

11 participants
38 discussions

Re: [SSSD] git push failes for me
by Jeff Schroeder 08 Feb '11

08 Feb '11

for real this time 2011/2/8 Jeff Schroeder <jeffschroeder(a)computer.org>: > looping in sssd-devel. > > Reference bug: https://bugzilla.redhat.com/show_bug.cgi?id=675007 > > Милош, what is your username in git? I'm pretty sure I can manually > clear your entry with ldbedit for now. > > 2011/2/8 Olav Vitters <olav(a)vitters.nl>: >> On Tue, Feb 08, 2011 at 10:15:51PM +0100, Милош Поповић wrote: >>> I am coordinator of Serbian translation, but for the last days I can not >>> send any files to Git. Here is the error message: >> >> We (gnome sysadmins) made a change to the infrastructure (switched to >> sssd). This remembers which permissions you have within GNOME (meaning: >> git account). Unfortunately there is a bug in that where it sometimes >> corrupts its cache. As a result, it doesn't remember that you're allowed >> to commit to git :-( >> >> CC'ing gnome-infrastructure for latest update >> >> Quoting full for gnome-infrastructure: >> >>> milos@PotrChkO ~/.prevodi/gbrainy/po $ git push >>> Counting objects: 13, done. >>> Delta compression using up to 2 threads. >>> Compressing objects: 100% (8/8), done. >>> Writing objects: 100% (8/8), 1.10 KiB, done. >>> Total 8 (delta 6), reused 0 (delta 0) >>> error: insufficient permission for adding an object to repository >>> database ./objects >>> >>> fatal: failed to write object >>> error: unpack failed: unpack-objects abnormal exit >>> To ssh://mpopovic@git.gnome.org/git/gbrainy >>> ! [remote rejected] master -> master (n/a (unpacker error)) >>> error: failed to push some refs to >>> 'ssh://mpopovic@git.gnome.org/git/gbrainy' >> >> -- >> Regards, >> Olav >> _______________________________________________ >> gnome-infrastructure mailing list >> gnome-infrastructure(a)gnome.org >> http://mail.gnome.org/mailman/listinfo/gnome-infrastructure > > > > -- > Jeff Schroeder > > Don't drink and derive, alcohol and analysis don't mix. > http://www.digitalprognosis.com > -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com

3 2

[PATCH] Be extra careful when closing our nss sockets
by Simo Sorce 08 Feb '11

08 Feb '11

This patch address bz670511/trac790 Makes sure there is less chance a broken application, on fork, closes the socket under our feet and reuses the same fd for other purposes, and then complains if we close with the socket. Simo. -- Simo Sorce * Red Hat, Inc * New York

2 4

[PATCH] Only print "no matching service rule" when appropriate
by Stephen Gallagher 04 Feb '11

04 Feb '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We were printing "no matching service rule" on all successful requests. This is obviously wrong. Thanks, Gowrishankar for catching this. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1MTS0ACgkQeiVVYja6o6MWLgCggvbGEtXO+SG5JOd4v2JT9n6I AZUAn3q1+2nGJcU0PalX6fM75QUV3TmN =sa1O -----END PGP SIGNATURE-----

2 2

[PATCHES] Performance improvements for the LDAP cleanup task
by Stephen Gallagher 03 Feb '11

03 Feb '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patch 0001: I discovered that the cleanup task was not contained in a transaction, so if there were multiple expired entries, it would take a long time (and perform many disc writes) to remove them. Patch 0002: While investigating the above, I also realized that the dataExpireTimestamp attribute (which we use as the primary search expression for expired entries) wasn't listed as an indexed attribute. This means that searches over a large sysdb database (e.g. one with enumerate = true) was significantly slower than it should be. This patch adds dataExpireTimestamp as an indexed attribute. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1CuooACgkQeiVVYja6o6O3IgCfaJyKVwabr7mYZjt5tHH+bx/i zroAoKptTdlTpYtQu4EZYUjWsQcn4ay9 =LRic -----END PGP SIGNATURE-----

2 4

[PATCH] Removing -p option from sss_obfuscate and updating man pages accordingly.
by Gowrishankar Rajaiyan 03 Feb '11

03 Feb '11

Hi Its never a good idea to have a password on the command-line. Patch 0001- removes the -p/--password option from sss_obfuscate command. Patch 0002- updated sss_obfuscate man pages accordingly. -- regards /shanks

2 2

[PATCHES] sss_obfuscate fixes
by Stephen Gallagher 03 Feb '11

03 Feb '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patch 0001: Make the domain argument mandatory in sss_obfuscate It doesn't make sense to set a "default" domain. We should require that the domain always be specified. Patch 0002: Gracefully handle permission errors in sss_obfuscate Don't show a traceback if not run as root. Replaces patch from "Fixing traceback call messages for sss_obfuscate command" - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1IeKMACgkQeiVVYja6o6NGLwCfXQnzdZcNYvonvRVG0kd7zx+X +2oAoKyjeNQs/xmy94PXVb1ZIzqAz+Hh =QCB3 -----END PGP SIGNATURE-----

2 5

Config problem or bug(?) with sssd and Windows AD 2008
by Patrick Grieshaber 02 Feb '11

02 Feb '11

Hello folks, first let me say that the sssd project is great and I am lucky that this project is available for CentOS/Redhat through the EPEL repo :-). I've installed version sssd-1.2.1-27.el5.x86_64 and I want to be able to fetch user infos plus enable login through AD 2008 - but I fail.. sssd.conf: [domain/example.com] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://dc1.example.com, ldap://dc2.example.com ldap_search_base = dc=example,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs ldap_default_bind_dn = CN=serviceuser,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = serviceuserpassword ldap_user_name = sAMAccountName ldap_search_base = OU=IT,DC=example,DC=com ldap_pwd_policy = none ldap_user_object_class = person ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_uid_number = sAMAccountName ldap_user_gid_number = sAMAccountName ldap_user_uuid = sAMAccountName ldap_user_fullname = displayName # kerberos config auth_provider = krb5 krb5_kdcip = dc1.example.com krb5_realm = EXAMPLE.COM krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 For debugging reasons I run: sssd -d9 Here the output if I attempt: su - myuser(a)example.com ...snip... (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(sAMAccountName=myuser)(objectclass=person))][OU=IT,DC=example,DC=com]. ...snip... (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0] (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0] (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_parse_entry] (9): OriginalDN: [CN=my,OU=IT,DC=example,DC=com]. (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0] (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_generic_done] (6): Search result: Success(0), (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_users_process] (6): Search for users, returned 1 results. (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: sh[0x8f876c0], connected[1], ops[(nil)], ldap[0x8f876f0] (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [ldb] (9): start ldb transaction (nesting: 0) (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_user_send] (9): Save user (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_user_send] (1): no uid provided for [myuser] in domain [example.com] (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_users_process] (2): Failed to store user 0. Ignoring. (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [ldb] (9): commit ldb transaction (nesting: 0) (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_users_done] (9): Saving 1 Users - Done (Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success And su outputs: su: user myuser(a)example.com does not exist What is wrong? I do the mapping of a uid/gid... any help is appreciated! Thank you, pat -- Patrick Grieshaber Mobile: +41 (0)79 215 63 79 Xing: xing.com/profile/Patrick_Grieshaber Skype: patrickgrieshaber GPG Key Fingerprint 0252 0C05 410E C345 1AC7 7530 98ED B18E 62CB CF04

4 11

[PATCH]Sanitize search filters for nested group lookups
by Stephen Gallagher 01 Feb '11

01 Feb '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus discovered while doing some AD testing that we were throwing errors dealing with nested groups where the group name has parentheses in it. It turned out that I missed two places where we needed to sanitize search filters. Attached patch fixes https://fedorahosted.org/sssd/ticket/785 - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1G+bMACgkQeiVVYja6o6NYOgCdFpDIFZuDM9SHYL5bVPZwGMrJ kDEAn1H0wp1pAV7CW+mqup4hDOgAFPZp =CsJY -----END PGP SIGNATURE-----

2 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel February 2011