A test repository with SSSD 1.9 for RHEL-6.3
by Jakub Hrozek
Hi,
even though RHEL-6.4 is still brewing, I think there might be some
interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot:
http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep
the upgrade path clean. The only missing functionality is the PAC
responder, which means this SSSD version won't be able to work with
an AD domain that is in a trust relationship with an IPA 3.x domain. I
had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you
will encounter AVC denials when the new fast cache is accessed. That
said, my quick smoke testing went fine and we will be glad to hear test
results or bug reports.
Using the repository comes with a warning - this is NOT an official Red
Hat supported repository. The packages have NOT gone through formal QA. If
it breaks your RHEL-6.3 installation, you get to keep the pieces.
This is the repo configuration I used:
--------------------------
[sssd-1.9-RHEL6.3]
name=SSSD 1.9.x built for latest stable RHEL
baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/$basearch/
enabled=1
skip_if_unavailable=1
gpgcheck=0
[sssd-1.9-RHEL6.3-source]
name=SSSD 1.9.x built for latest stable RHEL - Source
baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/SRPMS
enabled=0
skip_if_unavailable=1
gpgcheck=0
--------------------------
Happy testing!
11 years, 4 months
[PATCH] Allow more libldap debugging
by Jakub Hrozek
This patch should not be pushed to master, but I would like to get it
reviewed anyway.
It should be used to provide a custom build for users experiencing cases
where ldap_search_ext would block (c.f.
https://bugzilla.redhat.com/show_bug.cgi?id=728343)
For example:
export SSSD_DEBUG_LDAP_SEARCH="0xffff"
would set LDAP_DEBUG_ANY
The attached patch applies cleanly on the RHEL6.1 branch. I also have a
version that applies on master/1.5 if needed.
11 years, 5 months
[PATCH 0/5] Fix various tevent_req style and naming issues
by Simo Sorce
While I was working on an unrelated patchset I couldn't help fixing some
of the code to properly use tevent_req style and naming conventions.
This will bring this code in line with our tevent_req coding style and
hopefully make it more readable to eyes used to the tevent_req style.
It also fixes use of some inconsistent function names.
The krb5_auth.c changes are a bit tricky because I needed to change the
flow in several places and built helper functions to reduce a bit some
of the long functions.
I have been careful to make sure I did not change the actual program flow
and the patches work fine for me, so I am now dropping the RFC and asking
for review and inclusion in master.
Simo Sorce (5):
Fix tevent_req style for krb5_auth
Fix ipa_subdomain_id names and tevent_req style
Fix tevent_req style for get_netgroup in ipa_id
Streamline ipa_account_info handler
Use an entry type mask macro to filter entry types
src/providers/data_provider.h | 1 +
src/providers/ipa/ipa_id.c | 252 ++++++++--------
src/providers/ipa/ipa_id.h | 10 +-
src/providers/ipa/ipa_subdomains_id.c | 75 ++---
src/providers/krb5/krb5_access.c | 6 +-
src/providers/krb5/krb5_auth.c | 556 +++++++++++++++------------------
src/providers/krb5/krb5_auth.h | 2 +-
src/providers/krb5/krb5_wait_queue.c | 12 +-
src/providers/ldap/ldap_id.c | 2 +-
src/providers/proxy/proxy_id.c | 2 +-
10 files changed, 432 insertions(+), 486 deletions(-)
11 years, 5 months
[PATCH] Only build extract_and_send_pac on platforms that support it
by Jakub Hrozek
Attached is a patch that fixes a compilation problem of the SSSD on
RHEL-5. I split the original function into two to only link the child
process with the client libraries and not all consumers of sss_krb5.c
I have a hard stop today around this time, so I didn't have time to
fully test the patch, unfortunately.
11 years, 5 months
Unexpected behavior with 'simple_allow_users ='
by Stef Walter
When I have the following in a domain in sssd.conf:
access_provider = simple
simple_allow_users =
... any user is allowed to log in, despite the list being empty. The
documentation states:
· If either or both "allow" lists are provided, all users are denied
unless they appear in the list.
The list is provided, albeit empty. The simple access provider however
treats it as if it is not provided.
Since sssd.conf is often machine driven, this sort of unexpected
behavior leads to security problems like: removing a user from the
simple_allow_users acl leads to any user being allowed.
I've worked around this behavior in realmd, by using a comma:
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=56027
Patch: https://bugs.freedesktop.org/attachment.cgi?id=68615
Attached is a rough patch to sssd which fixes the problem. If you think
it's worth fixing, I'll do more testing on it.
Cheers,
Stef
11 years, 5 months
[PATCH] sss_cache: Remove fastcache even if sssd is not running.
by Michal Židek
https://fedorahosted.org/sssd/ticket/1584
First, I thought the race condition between sssd_nss and sss_cache
should be solved by some sort of file locking mechanism, but when
started working on it, the places where we needed to check for the file
being locked or free were too many and spread among monitor, nss and
sss_cache tool processes and it was not clear how the access is controlled.
So I decided to do it this way:
1. sss_cache tries to send_sighup to monitor as usual
2. if signal_sssd returns that sssd is not running, proceed with
memcache invalidation
3. As a part of memcache invalidation:
- it first opens the mc file
- then it checks if sssd is running (with pgrep)
- if sssd is running it stops the the process of invalidation
- if sssd is still not running it proceeds with the invalidation
See that if sssd starts after (or during) the pgrep check (so we will
not catch it as running, but will assume it is off) it is not a
problem, because we have file descriptor associated with file that was
present before sssd was running (we open the file before pgrep call).
sssd_nss alwas creates a new memory cache file on startup, so we will
only mark the old one as recycled (and not the new one), that we do not
care about (because it will be deleted by sssd_nss and marking that as
recycled is not a problem, I think -- the worst thing that can happen is
race between nss and cache tool while both are marking the OLD file as
recycled, but I can not figure out situation where this could be
dangerous, because there are no "temp" states that could be harmful.
Both processes are changing the value of status, but both to the same
value).
Another thing that I like about this is that we do not have to care
about communication sssd vs sssd_nss vs sss_cache but only control sssd
vs sss_cache, which is much easier to understand.
Can someone see any problems that I missed?
NOTE: The function sss_mc_set_recycled is copied from different module.
I did not want to make this function non static and put it to a header
file because it is not intended to be used directly.
I tested it and it works fine for me.
The patch is attached.
Thanks
Michal
11 years, 5 months
[PATCH] sss_cache: Multiple domains not handled properly
by Michal Židek
I found this bug while working on:
https://fedorahosted.org/sssd/ticket/1584
If no objects for deletion were found in the currently searched sysdb
database, the other sysdb databases were not searched at all.
Also the ERROR message informing about specific object not found was
changed to DEBUG message. It was really annoying seeing this message for
all domains, but it can be useful for debugging (it helped me by testing
this patch). Now only one ERROR message is printed if no matching
objects where found and all domains were searched.
Patch is attached.
Thanks
Michal
11 years, 5 months
