[PATCH] Special-case LDAP_SIZELIMIT_EXCEEDED
by Jakub Hrozek
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
10 years, 8 months
variable substitution in ldap_access_filter
by Angel Bosch
hi,
is there any variable substitution available in ldap_access_filter?
i'm (still) using posixgroup for user groups and i would like something like:
ldap_access_filter = (&(cn=sysadmins)(memberuid=$USER))
regards,
abosch
10 years, 8 months
[PATCH] Remove erroneous failure message in find_principal_in_keytab
by Stef Walter
find_principal_in_keytab is used in loops to look for various principals
in a keytab. Having failure debug messages in find_principal_in_keytab
produces erroneous output where it looks like something has failed, but
in reality just another principal was chosen.
All the callers of find_principal_in_keytab output failure debug lines
in cases where there really is a failure. So the patch quiets this down
and fine tunes things.
Cheers,
Stef
10 years, 8 months
[PATCH] If canon'ing principals, write ccache with updated default principal
by Stef Walter
If krb5_canonicalize is not present or is True in sssd.conf, then sssd
asks krb5_get_init_creds_keytab() to canonicalize principals. This can
change the client principal. When writing out the credential cache, we
should use this changed principal, and not the original one.
Failure to do this results in errors when LDAP tries to use the
credential cache:
[19310] 1334138369.931274: Initializing
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
default principal STEF-DESKTOP$(a)AD.THEWALTER.LAN
[19310] 1334138369.945192: Removing stef-desktop$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[19310] 1334138369.945221: Storing stef-desktop$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN in
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]]
[sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired
on [1334174369]
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
[18211] 1334138369.946687: ccselect can't find appropriate cache for
server principal ldap/dc.ad.thewalter.lan@
[18211] 1334138369.946754: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946769: Getting credentials
STEF-DESKTOP$(a)AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
[18211] 1334138369.946802: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan@ from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946830: Retrying STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN with result:
-1765328243/Matching credential not found
[18211] 1334138369.946836: Server has referral realm; starting with
ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN
[18211] 1334138369.946863: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
[18211] 1334138369.946891: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN ->
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with
result: -1765328243/Matching credential not found
(Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
This is because the default principal in the credential cache does not
match any of the credentials:
[root@stef-desktop data]# klist
FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN
Default principal: STEF-DESKTOP$(a)AD.THEWALTER.LAN
Valid starting Expires Service principal
04/11/12 12:01:01 04/11/12 22:00:48
krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN
for client stef-desktop$(a)AD.THEWALTER.LAN, renew until 04/12/12 12:01:01
Note the difference in capitalization.
This bug is present in SSSD git master.
Will attach simple patch which fixes the problem. An alternate patch
would be to use krb5_get_init_creds_opt_set_out_ccache() instead of
writing the credential cache in sssd code.
Cheers,
Stef
10 years, 9 months
[PATCH] Modify behavior of pam_pwd_expiration_warning
by Jan Zelený
- rename the option to pwd_expiration_warning
- move the option from PAM responder to domains
- if pwd_expiration_warning == 0, don't apply the filter at all
- default value for Kerberos: 7 days
- default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
https://fedorahosted.org/sssd/ticket/1140
Thanks
Jan
10 years, 9 months
[PATCH] Fix endian issue in SID conversion
by Sumit Bose
Hi,
I run some tests on PPC and found an issue in the SID conversion
functions of libidmap with respect to the byte-order. With the attached
patch make test passed on big- and little-endian platforms.
bye,
Sumit
10 years, 9 months
Announcing SSSD 1.8.3
by Stephen Gallagher
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.3.
As usual, the source can be downloaded at https://fedorahosted.org/sssd
== Highlights ==
* Numerous manpage and translation updates
* LDAP: Handle situations where the RootDSE isn't available anonymously
* LDAP: Fix regression for users using non-standard LDAP attributes for
user information
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1183
sssd.conf man page does not list autofs in the list of known
services
https://fedorahosted.org/sssd/ticket/1219
Warn on 'make update-po' if there are manpages not listed in
po4a.cfg
https://fedorahosted.org/sssd/ticket/1249
Unable to lookup user aliases with proxy provider.
https://fedorahosted.org/sssd/ticket/1258
SSSD should attempt to get the RootDSE after binding
https://fedorahosted.org/sssd/ticket/1265
document the possible performance gains of disabling referral
chasing
https://fedorahosted.org/sssd/ticket/1278
Inadequate info in man page for "ldap_disable_paging" feature
https://fedorahosted.org/sssd/ticket/1290
No info in sssd manpages for "ldap_sasl_minssf"
https://fedorahosted.org/sssd/ticket/1295
Fix erronous reference to the 'allow' access_provider
https://fedorahosted.org/sssd/ticket/1300
autofs: maximum key name must be PATH_MAX
https://fedorahosted.org/sssd/ticket/1307
sdap_check_aliases must not error when detects the same user
https://fedorahosted.org/sssd/ticket/1312
group members are now lowercased in case insensitive domains
https://fedorahosted.org/sssd/ticket/1320
Auth fails for user with non-default attribute names
== Detailed Changelog ==
Jakub Hrozek (14):
* man: document that referral chasing might bring performance penalty
* pam_sss: improve error handling in SELinux code
* Remove the "command" option from documentation
* autofs: Raise the maximum key length to PATH_MAX
* MAN: timeout can be specified for services, too
* MAN: document the hostid and autofs providers
* proxy: Canonicalize user and group names
* proxy: new option proxy_fast_alias
* sdap_check_aliases must not error when detects the same user
* Document sss_tools better
* Get the RootDSE after binding if not successfull before
* confdb_get_bool needs a TALLOC_CTX in sssd-1.8
* Lowercase group members in case-insensitive domains
* Read sysdb attribute name, not LDAP attribute map name
Marco Pizzoli (1):
* Two manual pages fixes
Pavel Březina (1):
* sudo api: check sss_status instead of errnop in
sss_sudo_send_recv_generic()
Stef Walter (1):
* Fix erronous reference to the 'allow' access_provider
Stephen Gallagher (6):
* Bumping version to 1.8.3
* MAN: Improve ldap_disable_paging documentation
* MAN: Add ldap_sasl_minssf to the manpage
* Update translation files
* Fix typo in translation file
* Update translations for 1.8.3 release
Yuri Chornoivan (1):
* Fix typo: retreiving->retrieving
10 years, 9 months
[PATCHES] Add support for ID-mapping with Active Directory domains
by Stephen Gallagher
These patches are built atop Sumit's recent patch "Allow different SID
representations in libidmap". I added the manpage as a single patch near
the end because it was just too much trouble to do it piecemeal
throughout the set. This patch series went through numerous iterations,
so some of the patches may be slightly out of order. Please review as a
whole. The patches themselves are separated primarily the way they are
to make reviewing easier. Some have notes below to guide the reviewer to
changes that may have been revised later but were nontrivial to rewrite
history for.
Patch 0001: Add objectSID config option
This patch adds an option to specify the objectSID attribute on the LDAP
server, for use when performing ID-mapping
Patch 0002: Add option to enable id-mapping
Patch 0003: Add sysdb routines for storing ID maps in the cache
Patch 0004: Add helper routines to the LDAP provider for ID mapping
This contains the meat of the ID-mapping algorithm. See the manpage in
Patch 0020 for full details.
Patch 0005: Add options for configuring range settings
Patch 0006: LDAP: Initialize ID mapping when configured
Patch 0007: Do ID-mapped lookups for users
Note: this patch contains a bit of code that has been refactored by the
end of the patchset (specifically it references binary_to_dom_sid() and
dom_sid_to_string()). I didn't bother rewriting this particular bit of
history because it's replaced entirely by Patch 0016 anyway (which uses
the correct functions from Sumit's patch).
Patch 0008: Add an autorid compatibility mode
Autorid assigns slices as first-come-first-served. This will force the
LDAP ID-mapping to behave the same way.
Patch 0009: Add a feature to guarantee that a single "default" domain is
always assigned to slice 0, regardless of hashing. This can be used to
extend autorid compatibility mode.
Patch 0010: Helper routine to get the domain SID portion from a user or
group objectSID
Patch 0011: Allow us to auto-provision a new domain when we see one for
the first time.
Note: this gets turned into its own function in Patch 0018 for reuse in
groups and initgroups.
Patch 0012: Look up mapped users by UID
Patch 0013: Look up mapped groups by name
Patch 0014: Look up mapped groups by GID
Patch 0015: Map the user's primaryGID. ActiveDirectory stores only the
RID of the primary group, so we extract the domain SID from the user SID
and then convert the group ID from that.
Patch 0016: Common routine to convert an LDAP blob of the objectSID into
a UNIX ID.
Patch 0017: Hack to ensure that uidNumber and gidNumber are not deleted
when we save users and groups.
Patch 0018: Convert the auto-provisioning code into a common routine,
rather than copying it everywhere.
Patch 0019: Handle cases where we have an unmappable ID (such as
special-case SIDs) for a group membership. In these cases, we'll treat
the groups as non-POSIX so we can safely continue.
Patch 0020: (Hopefully) comprehensive manpage on the ID-mapping feature.
It's separated into its own include file so that it will be possible to
import it into the manpage for the AD provider when that is available.
10 years, 9 months
can list all users/groups but can't get specific accounts
by Angel Bosch
i'm trying to configure sssd on precise pangolin and I can list all users and groups with
getent passwd
getent group
but if I try to get info for one user I don't get anything
getent passwd testuser
id testuser
I've configured and double checked all settings regarding ldap, even TLS (i've tested renaming cert and naming it back).
we expect to perform a pilot migration next month and I would like to use sssd for laptops.
please, ask if you want further info or debug files.
abosch
10 years, 9 months
