In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same,
just the name changed -- so it is safe to just #define the new name for
older c-ares version.
this patch should fix https://fedorahosted.org/sssd/ticket/896 .
Currently we expect that server side password policies are available if
the user object has a pwdAttribute set. But recently we introduced a
patch which let sssd only use LDAP controls which are listed in the
supportedControl attribute of the rootDSE and OpenLDAP does not list the
password policy control here. Since sssd does not check carefully if the
server really returns the policy data a segfault might happen in this
With this patch we only assume that there are server side password
policies if servers returns a LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
Much of the patch is a conversion from system "struct hostent" to our
own "struct resolv_hostent".
After some going back and forth, the addresses are stored pretty much
same as in "struct hostent" in a uint8_t buffer. The reason being
simpler access to the address as seen in the inet_ntop calls without
having to explicitly specify v6 or v4 component of a union, for example.
The "family" structure member specifies the address family which implies
the address type after all.
For resolving hostnames from /etc/hosts, I still used
ares_gethostbyname() with databases set to "files" only. It is
convenient do to so, as they implement the parser and provide a nice
interface. The only issue I came across was that if a hostname is not
found in /etc/hosts, c-ares would return ARES_ECONNREFUSED. I consider
this a c-ares bug and will handle this upstream.
Kaushik found missleading error messages in the proxy provider if the
user is not a member of any secondary groups. Currently we send back the
errno value returned in the last argument of the external
initgroups_dyn() which seems to be undefined if the call itself returns
NSS_STATUS_SUCCESS. To be on the safe side I think we should set it
explicitly. Additionaly patch 0002 makes sure that we print this errno
value in the debug message in case of an error and not always EIO.
While trying to reproduce this issued I found that libsss_util is needed
to run the proxy provider and fixed this with patch 0001.
this patch should fix https://fedorahosted.org/sssd/ticket/888 which
describes a corner case where an unused ccache file with a random name
is not recreated during the renewal of an expired password via sshd with
I have tried to think of a situation where it might be a bad idea to
remove the on-disk ccache file but found none.
Based on IRC conversations with sgallagh, we determined that my
ignorance led to /etc/pam.d/system-auth being correctly configured,
but /etc/pam.d/password-auth left as the defaults. This was causing
issues with sssd renewing the incorrect kerb credential cache.
After fixing my password-auth file, I'm still having issues with
automatic ticket renewal. It seems that, now, the sssd cache database
is not seeing my kerb credential cache. the ccacheFile is missing,
even after I log in successfully with kerb. My KRB5CCNAME environment
variable is set and matches the cache shown in klist.
What would cause sssd to not recognize the cache name? selinux is in
permissive mode, I tried blowing away my sssd config (deleted all the
ldb databases) and reconfiguring everything from scratch with
authconfig. I'm not convinced something is leftover from a previous
bad config, but am not sure where else to look.
Thanks for all the help,