[PATCH] Fix language errors in the sssd-krb5.conf man page
by Jakub Hrozek
I asked Deon to proof-read the krb5.conf manpage for us after the recent
changes and she just went ahead, fixed all the issues she found and even
provided a patch.
I just reformatted the patch in a format suitable for git am and attached it.
Thank you Deon!
Ack to the patch from my side, a quick review from another engineer so
that I'm sure the patch applies and builds the manpage would be welcome.
11 years, 6 months
[PATCH] Add more info about ticket validation
by Ondrej Kos
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
Patch is attached.
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1/5C Brno 1 office
irc: okos @ #brno
11 years, 6 months
sssd ldaps issue on Gentoo
by Aziz Sasmaz
Hi,
I use sssd on all servers in our infrastruceture. Most of them Redhat,
Centos and debian. It works very well with these OSes.
And we have some gentoo linux machines. I had some difficulties
configuring sssd when I want to use ldaps
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://ldap.xxx.com
ldap_chpass_uri = ldaps://ldap-provider.xxx.com
ldap_search_base = dc=xxx,dc=com
ldap_tls_reqcert = allow
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
ldap_user_gecos = uid
When I use ldap_uri = ldap or ldap_uri = ldaps getent works, but logins
are not working. There are interesting entries in log files;
sssd_LDAP
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [fo_new_service] (0x0080):
Creating new service 'LDAP'
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [fo_add_server] (0x0080):
Adding new server 'ldap.xxx.com', to service 'LDAP'
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [fo_new_service] (0x0080):
Creating new service 'LDAP_CHPASS'
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [fo_add_server] (0x0080):
Adding new server 'ldap-provider.xxx.com', to service 'LDAP_CHPASS'
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [sssm_ldap_sudo_init] (0x0080):
Sudo init handler called but SSSD is built without sudo support, ignoring
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [sssm_ldap_autofs_init]
(0x0080): Autofs init handler called but SSSD is built without autofs
support, ignoring
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [be_process_init] (0x0020): No
Session module provided for [LDAP] !!
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [be_process_init] (0x0020): No
host info module provided for [LDAP] !!
(Wed Oct 10 10:19:33 2012) [sssd[be[LDAP]]] [main] (0x0020): Backend
provider (LDAP) started!
(Wed Oct 10 10:19:43 2012) [sssd[be[LDAP]]] [sdap_sys_connect_done]
(0x0080): Failed to set LDAP SASL nocanon option to true. If your system is
configured to use SASL, LDAP operations might fail.
(Wed Oct 10 10:19:43 2012) [sssd[be[LDAP]]] [simple_bind_done] (0x0080):
Bind result: Success(0), no errmsg set
(Wed Oct 10 10:19:43 2012) [sssd[be[LDAP]]] [sdap_process_group_send]
(0x0040): No Members. Done!
(Wed Oct 10 10:19:43 2012) [sssd[be[LDAP]]] [sdap_process_group_send]
(0x0040): No Members. Done!
sssd_nss
(Wed Oct 10 09:58:24 2012) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Wed Oct 10 09:58:54 2012) [sssd[nss]] [sbus_reconnect] (0x0080): Making
reconnection attempt 8 to
[unix:path=/var/lib/sss/pipes/private/sbus-dp_LDAP]
(Wed Oct 10 09:58:54 2012) [sssd[nss]] [sbus_reconnect] (0x0020): Failed to
open connection: name=org.freedesktop.DBus.Error.NoServer, message=Failed
to connect to socket /var/lib/sss/pipes/private/sbus-dp_LDAP: Connection
refused
sssd_pam
(Wed Oct 10 09:59:24 2012) [sssd[pam]] [pam_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Wed Oct 10 09:59:54 2012) [sssd[pam]] [sbus_reconnect] (0x0080): Making
reconnection attempt 10 to
[unix:path=/var/lib/sss/pipes/private/sbus-dp_LDAP]
(Wed Oct 10 09:59:54 2012) [sssd[pam]] [sbus_reconnect] (0x0020): Failed to
open connection: name=org.freedesktop.DBus.Error.NoServer, message=Failed
to connect to socket /var/lib/sss/pipes/private/sbus-dp_LDAP: Connection
refused
It says connection refused but there is no network issue with ldap
servers, all ports opened. Could you pleasegive me advice resolving this
issue?
Thanks,
AS
11 years, 6 months
[PATCH] do not check for POLLERR, POLLHUP, POLLNVAL when reading data
by Pavel Březina
Read the commit message for more info.
This was causing troubles when I wanted the pam responder to close
connection to a client immediately, right after a request is finished.
This code has been in SSSD for years. Simo, as you are the original
author, can you review it please?
11 years, 6 months
[PATCH] Fix typos
by Jakub Hrozek
Patch by Yuri Chornoivan. I'm ACKing it, please nack if you disagree,
otherwise I'll just push it later.
11 years, 6 months
Announcing SSSD 1.8.5
by Jakub Hrozek
=== SSSD 1.8.5 ===
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.5.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, this time for
F-16 and F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Fixed a potential segfault when SRV records are used to discover services
* The client libraries now use robust mutexes to avoid a potential deadlock
if a thread was cancelled while holding a mutex
* Do not return an error when the SELinux support is not configured
* Fixed returning an error to the PAM stack when the SSSD was performing
authentication but the kpasswd server was unreachable
* The SSSD used to skip a whole nesting level instead of a single already
processed group when loading nested group membership structure
* Added support for terminating idle connections and make the idle
timeout configurable
* The sss_ssh_knownostsproxy command no longer aborts when processing a
host without DNS records
* The shadowLastChange attribute is noe correctly updated with days since
the Epoch, not seconds
== Tickets Fixed ==
* https://fedorahosted.org/sssd/ticket/1356
SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
* https://fedorahosted.org/sssd/ticket/1271
Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* https://fedorahosted.org/sssd/ticket/1360
Provide "service filter" for SELinux context
* https://fedorahosted.org/sssd/ticket/1354
Add support for terminating idle connections
* https://fedorahosted.org/sssd/ticket/1452
KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* https://fedorahosted.org/sssd/ticket/1419
Fixed wrong number in shadowLastChange
* https://fedorahosted.org/sssd/ticket/1460
Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* https://fedorahosted.org/sssd/ticket/1515
KRB5: Return PAM_AUTH_ERR on incorrect password
* https://fedorahosted.org/sssd/ticket/1364
FO: Check server validity before setting status
== Detailed Changelog ==
Jakub Hrozek (8):
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* Send the correct enumeration request
* Process all groups from a single nesting level
* SYSDB: Make sysdb_attrs_get_el_int() public
* KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* KRB5: Return PAM_AUTH_ERR on incorrect password
* FO: Check server validity before setting status
Jan Cholasta (3):
* SSH: Update sss_ssh_knownhostsproxy manual page
* SSH: Supress error message output in sss_ssh_knownhostsproxy
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
Jan Zeleny (2):
* Provide "service filter" for SELinux context
* Fixed wrong number in shadowLastChange
Shantanu Goel (4):
* Set return errno to the value prior to calling close().
* Log message if close() fails in destructor.
* Do not send SIGPIPE on disconnection
* Add support for terminating idle connections
Stephen Gallagher (2):
* Bumping version to 1.8.5
* Make the client idle timeout configurable
Timo Aaltonen (1):
* Move SELinux processing from session to account PAM stack
11 years, 6 months