June 2011 - sssd-devel - Fedora Mailing-Lists

[PATCH] Provide TTL structure names for c-ares < 1.7

by Jakub Hrozek

In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to ares_addrttl/ares_addr6ttl so they are in the ares_ namespace. Because they are committed to stable ABI, the contents are the same, just the name changed -- so it is safe to just #define the new name for older c-ares version.

12 years, 10 months

2
3
0 / 0

[PATCH] Test NULL server hostname in fail over tests

by Jakub Hrozek

I created a semi-manual test case for QA to exercise this issue a while ago and thought it would be nice to have it upstream, too. This patch depends on the resolver TTL patches.

12 years, 10 months

3
2
0 / 0

[PATCH] Do not check pwdAttribute

by Sumit Bose

Hi, this patch should fix https://fedorahosted.org/sssd/ticket/896 . Currently we expect that server side password policies are available if the user object has a pwdAttribute set. But recently we introduced a patch which let sssd only use LDAP controls which are listed in the supportedControl attribute of the rootDSE and OpenLDAP does not list the password policy control here. Since sssd does not check carefully if the server really returns the policy data a segfault might happen in this scenario. With this patch we only assume that there are server side password policies if servers returns a LDAP_CONTROL_PASSWORDPOLICYRESPONSE. bye, Sumit

12 years, 10 months

2
2
0 / 0

[PATCH] Store and use TTL values for resolved host names

by Jakub Hrozek

https://fedorahosted.org/sssd/ticket/811 Much of the patch is a conversion from system "struct hostent" to our own "struct resolv_hostent". After some going back and forth, the addresses are stored pretty much same as in "struct hostent" in a uint8_t buffer. The reason being simpler access to the address as seen in the inet_ntop calls without having to explicitly specify v6 or v4 component of a union, for example. The "family" structure member specifies the address family which implies the address type after all. For resolving hostnames from /etc/hosts, I still used ares_gethostbyname() with databases set to "files" only. It is convenient do to so, as they implement the parser and provide a nice interface. The only issue I came across was that if a hostname is not found in /etc/hosts, c-ares would return ARES_ECONNREFUSED. I consider this a c-ares bug and will handle this upstream.

12 years, 10 months

3
7
0 / 0

[PATCHES] Two proxy provider issues

by Sumit Bose

Hi, Kaushik found missleading error messages in the proxy provider if the user is not a member of any secondary groups. Currently we send back the errno value returned in the last argument of the external initgroups_dyn() which seems to be undefined if the call itself returns NSS_STATUS_SUCCESS. To be on the safe side I think we should set it explicitly. Additionaly patch 0002 makes sure that we print this errno value in the debug message in case of an error and not always EIO. While trying to reproduce this issued I found that libsss_util is needed to run the proxy provider and fixed this with patch 0001. bye, Sumit

12 years, 10 months

3
2
0 / 0

[PATCH] Make parse_args skip extra spaces

by Jakub Hrozek

https://fedorahosted.org/sssd/ticket/871 The second patch adds a couple of unit tests to exercise both the old behaviour and the multiple spaces.

12 years, 10 months

3
6
0 / 0

[PATCH] Fix two typos

by Sumit Bose

Hi, I came across those two typos. bye, Sumit

12 years, 10 months

2
2
0 / 0

[PATCH] Delete cached ccache file if password is expired

by Sumit Bose

Hi, this patch should fix https://fedorahosted.org/sssd/ticket/888 which describes a corner case where an unused ccache file with a random name is not recreated during the renewal of an expired password via sshd with privilege separation. I have tried to think of a situation where it might be a bad idea to remove the on-disk ccache file but found none. bye, Sumit

12 years, 10 months

3
4
0 / 0

Kerb credential cache not getting into default_cache.ldb

by Norman Elton

Based on IRC conversations with sgallagh, we determined that my ignorance led to /etc/pam.d/system-auth being correctly configured, but /etc/pam.d/password-auth left as the defaults. This was causing issues with sssd renewing the incorrect kerb credential cache. After fixing my password-auth file, I'm still having issues with automatic ticket renewal. It seems that, now, the sssd cache database is not seeing my kerb credential cache. the ccacheFile is missing, even after I log in successfully with kerb. My KRB5CCNAME environment variable is set and matches the cache shown in klist. What would cause sssd to not recognize the cache name? selinux is in permissive mode, I tried blowing away my sssd config (deleted all the ldb databases) and reconfiguring everything from scratch with authconfig. I'm not convinced something is leftover from a previous bad config, but am not sure where else to look. Thanks for all the help, Norman

12 years, 10 months

4
5
0 / 0

chpass_provider

by Frank Dornheim

Hi list, i have a running sssd, ldap, krb5 system. client [sssd] --> [openLdap] --> KRB5 So everything work expected. My LDAP user use LDAP/ KRB5 if there is a connect and sssd is offline. But i dont understand the chpass_provider. For a basic orientation are example config at the end. If i try to change my password and the LDAP/ Kerberos- server is stopped i get an: "System is offline, password change not possible". But if the LDAP/Kerberos- server is online i use PAM to change the kerberos PW. So why i should configure the chpass_provider and in which circumstances sssd the chpass_provider. Thanks Con __my sssd.conf conf__ [domain/EXAMPLE.ORG] auth_provider = ldap id_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://ldap.example.org ldap_search_base = dc=example,dc=org ldap_user_search_base = ou=users,dc=example,dc=org ldap_group_search_base = ou=groups,dc=example,dc=org ldap_default_bind_dn = cn=unpriv-ldap-nss-srv,ou=services,dc=example,dc=org ldap_default_authtok_type = password ldap_default_authtok = securepass krb5_server = kerberos.example.org krb5_kpasswd = kerberos.example.org krb5_changepw_principal = kadmin/changepw krb5_realm = EXAMPLE.ORG ldap_pwd_policy = mit_kerberos chpass_provider=krb5 ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/cacert.pem cache_credentials = true enumerate = False min_id = 10000 max_id = 29999 __my auth-client-config__ [sssd.krb5] nss_passwd= passwd: compat sss nss_group= group: compat sss nss_shadow= shadow: compat nss_netgroup= netgroup: nis pam_auth= auth required pam_env.so auth [success=4 default=ignore] pam_krb5.so try_first_pass auth [success=3 default=ignore] pam_unix.so debug nullok_secure try_first_pass auth requisite pam_succeed_if.so uid >= 10000 quiet auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so pam_account= account required pam_krb5.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 10000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so pam_password= password requisite pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_krb5.so try_first_pass use_authtok password sufficient pam_unix.so try_first_pass use_authtok sha512 password sufficient pam_sss.so use_authtok password required pam_deny.so pam_session= session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_keyinit.so revoke session optional pam_krb5.so session required pam_limits.so session [success=1 default=ignore] pam_sss.so session required pam_unix.so

12 years, 10 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel June 2011