sssd-devel March 2012

sssd-devel@lists.fedorahosted.org

21 participants
80 discussions

[PATCH] LDAP: Errors retrieving the RootDSE should not be fatal
by Stephen Gallagher 16 Mar '12

16 Mar '12

If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257

2 2

[PATCHES] SSH: Do reverse DNS lookup of host addresses
by Jan Cholasta 15 Mar '12

15 Mar '12

Hi, the attached patches fix <https://fedorahosted.org/sssd/ticket/1245> and also do some refactoring: [PATCH 1/2] SSH: Allow clients to explicitly specify host alias This change removes the need to canonicalize host names on the responder side - the relevant code was removed. [PATCH 2/2] SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy Honza -- Jan Cholasta

2 1

user and group precedence issue
by Olivier 15 Mar '12

15 Mar '12

> (without the n :-) Ooops :) > sssd cares only about what exists in ldap to date. Ooops again > If you look at the ldap tree on its own you see an > "unknown" user name as member of a group. Ok, I see the logic now ( although I'm not completely convinced from a practical point of view to be honnest : a user name could be defined somewhere else, in a referal ldap for example. In that case, should it be an overall group consistency problem if a memberuid was uknown because a referal server is not accessible ? ). Anyway, thank you so much for your responses Simo and Stephen : I'll adapt my view to what is possible then :-) Kindest, --- Olivier 2012/3/14 Simo Sorce <simo(a)redhat.com>: > On Wed, 2012-03-14 at 19:51 +0100, Olivier wrote: >> Simon, > > (without the n :-) > >> that's where I don't catch ( sorry) : >> >> > You are asking it to know about "unknown" users >> >> If you say in nsswitch.conf : >> >> passwd: local sss >> group: sss local >> >> Then sss should know about users that are in local >> /etc/passwd and may retrieve their groups in ldap ? > > No, sssd is blissfully unaware of what you have in /etc/passwd > or /etc/group, sssd cares only about what exists in ldap to date. > >> Why would that be inconsistent not to insert users >> entries in ldap in that situation ? > > Because in the ldap server there is no corresponding user. If you look > at the ldap tree on its own you see an "unknown" user name as member of > a group. > >> BTW, I don' think that ldap requires that an entry exists >> for a posixgroup memberuid ? > > No the rfc2307 schema does not mandate consistency (the rfc2307bis > schema does mandate it due to use of DNs instead of simple names). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > sssd-devel mailing list > sssd-devel(a)lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel

4 5

user and group precedence issue
by Olivier 14 Mar '12

14 Mar '12

Hello, I have configure redhat (6 and 5) boxes to authenticate users over an openldap server via sssd. I have implemented a policy so that "Systems" accounts ( uid > 500 ) are not in ldap but authentified over local password db. My ldap directory also contains posixgroups that I use to tune some accesses ( using /etc/security/access.conf ). I have added this in my nsswitch.conf : passwd: files sss shadow: files sss group: sss files I have configured sss as a primary source of information for groups, because I would like pam to take into account both groups that are declared in ldap and those that are locally configured (even for system accounts that don't have any entry in ldap). The problem I'm facing is that ldap groups for a user are only considered if the user has itself an entry in ldap ( except if th user is declared as having an ldap group as primary in /etc/passwd ). Here is an example : If I have this in /etc/passwd : ntp:x:38:38::/etc/ntp:/sbin/sh This in /etc/groups ntp:x:38: And this group in ldap : dn: cn=sysgrp,ou=group,dc=example,dc=fr cn: sysgrp gidnumber: 18010 memberuid: ntp memberuid: wheel memberuid: ldap objectclass: posixGroup Then a "su - ntp -c groups" returns only "ntp" group not "sysgrp" : $ su - ntp -c groups ntp If I create a user entry for "ntp" in ldap directory, then it works : # Entry : dn: uid=ntp,ou=sysaccounts,ou=people,dc=example,dc=fr cn: ntp gidnumber: 18010 objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: posixAccount uid: ntp uidnumber: 38 ... I have then what I want on the client machine : $ su - ntp -c groups ntp sysgrp I don't want to maintain a DIT in ldap to list system accounts, I would only like to maintain a posix group entry that lists system accounts ( and match if the system account exist on the client ). Is there any way to do that ? May be someone could help me or indicate a documentation or a mailing list that I could try to consult to deal with that problem ? Thanks, --- Olivier

4 10

[PATCH] LDAP: Add AD 2008r2 schema
by Stephen Gallagher 14 Mar '12

14 Mar '12

Fixes https://fedorahosted.org/sssd/ticket/1031 This patch creates a set of schema defaults that corresponds to Active Directory 2008r2. It can be set up simply by specifying ldap_schema = AD Operationally, it behaves like any other RFC2307bis server at this time. This patch does not remove the requirement for SFU/SUA support in Active Directory. More enhancements will follow to add support for AD-specific features.

2 4

Announcing SSSD 1.8.1
by Stephen Gallagher 12 Mar '12

12 Mar '12

The SSSD team is proud to announce the bugfix release of the System Security Services Daemon version 1.8.1 As usual, the source can be downloaded at https://fedorahosted.org/sssd Packages for Fedora will be built later today and should appear in updates-testing within two days. == Highlights == * Resolve issue where we could enter an infinite loop trying to connect to an auth server * Fix serious issue with complex (3+ levels) nested groups * Fix netgroup support for case-insensitivity and aliases * Fix serious issue with lookup bundling resulting in requests never completing * IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate * Fix several regressions in the proxy provider == Detailed Changelog == Jakub Hrozek (12): * Use proper errno code * Only do one cycle when resolving a server * krb5_child: set debugging sooner * Search netgroups by alias, too * Detect cycle in the fail over on subsequent resolve requests only * Autofs: operate on contents of double-pointer, not address * Only free returned values on success * Save original name into the in-memory cache * Handle errors from lookup_netgr_step gracefully * Fix nested groups processing * Fix netgroup error handling * Handle empty elements in proxy netgroups: Jan Cholasta (1): * Include missing source files to the list of source files which contain translatable strings Jan Zeleny (5): * Fix the script path * Fixed uninitialized pointer in SSH known host proxy * Fixed uninitialized pointer in SSH authorized keys client * Add umask before mkstemp() call in SSH responder * Fixed resource leak in ssh client code Pavel Březina (6): * Hide --debug option in sss_debuglevel * Two memory leaks in sss_sudo_get_values * Missing debug message if sdap_sudo_refresh_set_timer fails * Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal * Use of unininitialized value in sss_sudo_parse_response * Potential NULL-dereference in sudosrv_cmd_get_sudorules Simo Sorce (1): * Use the correct hash table for pending requests Stephen Gallagher (20): * Bump version to 1.8.1 * Fix typo in autofs option description * Include the debug_level upgrade tool in the tarball * Include new manpages in translations * Updating translations for SSSD 1.8.1 * Fix typo in script name * Handle cases where UID is -1 * IPA: Set the DNS discovery domain to match ipa_domain * IPA: Fix segfault with srchost functionality enabled * DP: Reorganize memory hierarchy of requests * Prune python provides correctly * Make RPM spec more explicit * Build experimental features by default in RPMs * Properly terminate GIT_CHECKOUT * LDAP: Make sdap_access_send/recv public * IPA: Check nsAccountLock during PAM_ACCT_MGMT * PROXY: Create fake user entries for group lookups * SSH: Fix missing semicolon * IPA: Initialize hbac_ctx to NULL * i18n: Remove empty translations Yuri Chornoivan (1): * fix typos in manual

1 0

[PATCH] Fix validation errors in translations
by Stephen Gallagher 12 Mar '12

12 Mar '12

This patch corrects some validation errors resulting in translation files not being output (the build system would just detect the error and scrap the translation for these languages).

1 1

building ssd-1.8.0 on RHEL6
by Moritz Baumann 12 Mar '12

12 Mar '12

Hi there, ist it safe to pick the rawhide sssd-1.8.0-6.fc18.src.rpm, change ldb_version to %global ldb_version 0.9.10 and fix the RPM build errors: File must begin with "/": %{_unitdir}/sssd.service Or do I have to build the newer ldb version (1.1.4)? We are running in timeout problems with sssd lookups and would like to test the new sssd version to see if this improoves things. Or is there somewhere an official sssd-1.8.0 in some fasttrack channel? Best, Moritz Baumann

2 1

[PATCH] IPA: Initialize hbac_ctx to NULL
by Stephen Gallagher 12 Mar '12

12 Mar '12

Pushed to master and sssd-1-8 under the one-liner rule.

1 0

[PATCH] Two proxy netgroups fixes
by Jakub Hrozek 09 Mar '12

09 Mar '12

Hi, attached are two patches for issues I found in the proxy netgroups code. [PATCH 1/2] Fix netgroup error handling https://fedorahosted.org/sssd/ticket/1242 The patch improves error handling, and, most importanly, deletes any netgroup that might be in the cache if the search did not yield any results. There's one catch, though. During my testing with nss-pam-ldapd, all the NSS operations returned NSS_STATUS_SUCCESS and an empty "struct __netgrent" structure for cases when the netgroup existed and when the netgroup existed but had no nisNetgroupTriple attributes. This may be a nss-pam-ldapd bug, though..is there any other back end that could be used to test? I'd like to avoid setting up NIS :-) [PATCH 2/2] Handle empty elements in proxy netgroups The make_netgroup_attr() function did not check for NULL elements of netgroup triples and could print literal "(null)" into the triple element in the nice case and crash in the worse case.

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel March 2012