[PATCH] Provide TTL structure names for c-ares < 1.7
by Jakub Hrozek
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same,
just the name changed -- so it is safe to just #define the new name for
older c-ares version.
12 years, 10 months
[PATCH] Do not check pwdAttribute
by Sumit Bose
Hi,
this patch should fix https://fedorahosted.org/sssd/ticket/896 .
Currently we expect that server side password policies are available if
the user object has a pwdAttribute set. But recently we introduced a
patch which let sssd only use LDAP controls which are listed in the
supportedControl attribute of the rootDSE and OpenLDAP does not list the
password policy control here. Since sssd does not check carefully if the
server really returns the policy data a segfault might happen in this
scenario.
With this patch we only assume that there are server side password
policies if servers returns a LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
bye,
Sumit
12 years, 10 months
[PATCH] Store and use TTL values for resolved host names
by Jakub Hrozek
https://fedorahosted.org/sssd/ticket/811
Much of the patch is a conversion from system "struct hostent" to our
own "struct resolv_hostent".
After some going back and forth, the addresses are stored pretty much
same as in "struct hostent" in a uint8_t buffer. The reason being
simpler access to the address as seen in the inet_ntop calls without
having to explicitly specify v6 or v4 component of a union, for example.
The "family" structure member specifies the address family which implies
the address type after all.
For resolving hostnames from /etc/hosts, I still used
ares_gethostbyname() with databases set to "files" only. It is
convenient do to so, as they implement the parser and provide a nice
interface. The only issue I came across was that if a hostname is not
found in /etc/hosts, c-ares would return ARES_ECONNREFUSED. I consider
this a c-ares bug and will handle this upstream.
12 years, 10 months
[PATCHES] Two proxy provider issues
by Sumit Bose
Hi,
Kaushik found missleading error messages in the proxy provider if the
user is not a member of any secondary groups. Currently we send back the
errno value returned in the last argument of the external
initgroups_dyn() which seems to be undefined if the call itself returns
NSS_STATUS_SUCCESS. To be on the safe side I think we should set it
explicitly. Additionaly patch 0002 makes sure that we print this errno
value in the debug message in case of an error and not always EIO.
While trying to reproduce this issued I found that libsss_util is needed
to run the proxy provider and fixed this with patch 0001.
bye,
Sumit
12 years, 10 months
Kerb credential cache not getting into default_cache.ldb
by Norman Elton
Based on IRC conversations with sgallagh, we determined that my
ignorance led to /etc/pam.d/system-auth being correctly configured,
but /etc/pam.d/password-auth left as the defaults. This was causing
issues with sssd renewing the incorrect kerb credential cache.
After fixing my password-auth file, I'm still having issues with
automatic ticket renewal. It seems that, now, the sssd cache database
is not seeing my kerb credential cache. the ccacheFile is missing,
even after I log in successfully with kerb. My KRB5CCNAME environment
variable is set and matches the cache shown in klist.
What would cause sssd to not recognize the cache name? selinux is in
permissive mode, I tried blowing away my sssd config (deleted all the
ldb databases) and reconfiguring everything from scratch with
authconfig. I'm not convinced something is leftover from a previous
bad config, but am not sure where else to look.
Thanks for all the help,
Norman
12 years, 10 months
chpass_provider
by Frank Dornheim
Hi list,
i have a running sssd, ldap, krb5 system.
client [sssd] --> [openLdap] --> KRB5
So everything work expected. My LDAP user use LDAP/ KRB5 if there is a
connect and sssd is offline.
But i dont understand the chpass_provider. For a basic orientation are
example config at the end.
If i try to change my password and the LDAP/ Kerberos- server is
stopped i get an: "System is offline, password change not possible".
But if the LDAP/Kerberos- server is online i use PAM to change the kerberos PW.
So why i should configure the chpass_provider and in which
circumstances sssd the chpass_provider.
Thanks Con
__my sssd.conf conf__
[domain/EXAMPLE.ORG]
auth_provider = ldap
id_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://ldap.example.org
ldap_search_base = dc=example,dc=org
ldap_user_search_base = ou=users,dc=example,dc=org
ldap_group_search_base = ou=groups,dc=example,dc=org
ldap_default_bind_dn = cn=unpriv-ldap-nss-srv,ou=services,dc=example,dc=org
ldap_default_authtok_type = password
ldap_default_authtok = securepass
krb5_server = kerberos.example.org
krb5_kpasswd = kerberos.example.org
krb5_changepw_principal = kadmin/changepw
krb5_realm = EXAMPLE.ORG
ldap_pwd_policy = mit_kerberos
chpass_provider=krb5
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.pem
cache_credentials = true
enumerate = False
min_id = 10000
max_id = 29999
__my auth-client-config__
[sssd.krb5]
nss_passwd= passwd: compat sss
nss_group= group: compat sss
nss_shadow= shadow: compat
nss_netgroup= netgroup: nis
pam_auth= auth required pam_env.so
auth [success=4 default=ignore] pam_krb5.so
try_first_pass
auth [success=3 default=ignore] pam_unix.so
debug nullok_secure try_first_pass
auth requisite
pam_succeed_if.so uid >= 10000 quiet
auth [success=1 default=ignore] pam_sss.so
use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
pam_account= account required
pam_krb5.so
account required
pam_unix.so
account sufficient
pam_localuser.so
account sufficient
pam_succeed_if.so uid < 10000 quiet
account [default=bad success=ok user_unknown=ignore]
pam_sss.so
account required
pam_permit.so
pam_password= password requisite pam_cracklib.so
try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_krb5.so
try_first_pass use_authtok
password sufficient pam_unix.so
try_first_pass use_authtok sha512
password sufficient pam_sss.so use_authtok
password required pam_deny.so
pam_session= session required
pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_keyinit.so revoke
session optional pam_krb5.so
session required pam_limits.so
session [success=1 default=ignore] pam_sss.so
session required pam_unix.so
12 years, 10 months