sssd-devel May 2012

sssd-devel@lists.fedorahosted.org

25 participants
89 discussions

[PATCH] Special-case LDAP_SIZELIMIT_EXCEEDED
by Jakub Hrozek 07 May '12

07 May '12

Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322

2 2

[PATCH] Fix typo in debug message
by Pavel Březina 07 May '12

07 May '12

2 3

variable substitution in ldap_access_filter
by Angel Bosch 07 May '12

07 May '12

hi, is there any variable substitution available in ldap_access_filter? i'm (still) using posixgroup for user groups and i would like something like: ldap_access_filter = (&(cn=sysadmins)(memberuid=$USER)) regards, abosch

3 9

[PATCH] Remove erroneous failure message in find_principal_in_keytab
by Stef Walter 07 May '12

07 May '12

find_principal_in_keytab is used in loops to look for various principals in a keytab. Having failure debug messages in find_principal_in_keytab produces erroneous output where it looks like something has failed, but in reality just another principal was chosen. All the callers of find_principal_in_keytab output failure debug lines in cases where there really is a failure. So the patch quiets this down and fine tunes things. Cheers, Stef

3 2

[PATCH] If canon'ing principals, write ccache with updated default principal
by Stef Walter 04 May '12

04 May '12

If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache: [19310] 1334138369.931274: Initializing FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with default principal STEF-DESKTOP$(a)AD.THEWALTER.LAN [19310] 1334138369.945192: Removing stef-desktop$(a)AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [19310] 1334138369.945221: Storing stef-desktop$(a)AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN in FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN], expired on [1334174369] (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [18211] 1334138369.946687: ccselect can't find appropriate cache for server principal ldap/dc.ad.thewalter.lan@ [18211] 1334138369.946754: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946769: Getting credentials STEF-DESKTOP$(a)AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ using ccache FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN [18211] 1334138369.946802: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan@ from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946830: Retrying STEF-DESKTOP$(a)AD.THEWALTER.LAN -> ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946836: Server has referral realm; starting with ldap/dc.ad.thewalter.lan(a)AD.THEWALTER.LAN [18211] 1334138369.946863: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found [18211] 1334138369.946891: Retrieving STEF-DESKTOP$(a)AD.THEWALTER.LAN -> krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN from FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN with result: -1765328243/Matching credential not found (Wed Apr 11 11:59:29 2012) [sssd[be[ad.thewalter.lan]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] This is because the default principal in the credential cache does not match any of the credentials: [root@stef-desktop data]# klist FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Ticket cache: FILE:/data/build/sssd/var/lib/sss/db/ccache_AD.THEWALTER.LAN Default principal: STEF-DESKTOP$(a)AD.THEWALTER.LAN Valid starting Expires Service principal 04/11/12 12:01:01 04/11/12 22:00:48 krbtgt/AD.THEWALTER.LAN(a)AD.THEWALTER.LAN for client stef-desktop$(a)AD.THEWALTER.LAN, renew until 04/12/12 12:01:01 Note the difference in capitalization. This bug is present in SSSD git master. Will attach simple patch which fixes the problem. An alternate patch would be to use krb5_get_init_creds_opt_set_out_ccache() instead of writing the credential cache in sssd code. Cheers, Stef

2 3

[PATCH] Modify behavior of pam_pwd_expiration_warning
by Jan Zelený 04 May '12

04 May '12

- rename the option to pwd_expiration_warning - move the option from PAM responder to domains - if pwd_expiration_warning == 0, don't apply the filter at all - default value for Kerberos: 7 days - default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider. https://fedorahosted.org/sssd/ticket/1140 Thanks Jan

2 7

[PATCH] Fix endian issue in SID conversion
by Sumit Bose 04 May '12

04 May '12

Hi, I run some tests on PPC and found an issue in the SID conversion functions of libidmap with respect to the byte-order. With the attached patch make test passed on big- and little-endian platforms. bye, Sumit

2 2

Announcing SSSD 1.8.3
by Stephen Gallagher 03 May '12

03 May '12

The SSSD team is proud to announce the bugfix release of the System Security Services Daemon version 1.8.3. As usual, the source can be downloaded at https://fedorahosted.org/sssd == Highlights == * Numerous manpage and translation updates * LDAP: Handle situations where the RootDSE isn't available anonymously * LDAP: Fix regression for users using non-standard LDAP attributes for user information == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1183 sssd.conf man page does not list autofs in the list of known services https://fedorahosted.org/sssd/ticket/1219 Warn on 'make update-po' if there are manpages not listed in po4a.cfg https://fedorahosted.org/sssd/ticket/1249 Unable to lookup user aliases with proxy provider. https://fedorahosted.org/sssd/ticket/1258 SSSD should attempt to get the RootDSE after binding https://fedorahosted.org/sssd/ticket/1265 document the possible performance gains of disabling referral chasing https://fedorahosted.org/sssd/ticket/1278 Inadequate info in man page for "ldap_disable_paging" feature https://fedorahosted.org/sssd/ticket/1290 No info in sssd manpages for "ldap_sasl_minssf" https://fedorahosted.org/sssd/ticket/1295 Fix erronous reference to the 'allow' access_provider https://fedorahosted.org/sssd/ticket/1300 autofs: maximum key name must be PATH_MAX https://fedorahosted.org/sssd/ticket/1307 sdap_check_aliases must not error when detects the same user https://fedorahosted.org/sssd/ticket/1312 group members are now lowercased in case insensitive domains https://fedorahosted.org/sssd/ticket/1320 Auth fails for user with non-default attribute names == Detailed Changelog == Jakub Hrozek (14): * man: document that referral chasing might bring performance penalty * pam_sss: improve error handling in SELinux code * Remove the "command" option from documentation * autofs: Raise the maximum key length to PATH_MAX * MAN: timeout can be specified for services, too * MAN: document the hostid and autofs providers * proxy: Canonicalize user and group names * proxy: new option proxy_fast_alias * sdap_check_aliases must not error when detects the same user * Document sss_tools better * Get the RootDSE after binding if not successfull before * confdb_get_bool needs a TALLOC_CTX in sssd-1.8 * Lowercase group members in case-insensitive domains * Read sysdb attribute name, not LDAP attribute map name Marco Pizzoli (1): * Two manual pages fixes Pavel Březina (1): * sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic() Stef Walter (1): * Fix erronous reference to the 'allow' access_provider Stephen Gallagher (6): * Bumping version to 1.8.3 * MAN: Improve ldap_disable_paging documentation * MAN: Add ldap_sasl_minssf to the manpage * Update translation files * Fix typo in translation file * Update translations for 1.8.3 release Yuri Chornoivan (1): * Fix typo: retreiving->retrieving

1 0

[PATCHES] Add support for ID-mapping with Active Directory domains
by Stephen Gallagher 03 May '12

03 May '12

These patches are built atop Sumit's recent patch "Allow different SID representations in libidmap". I added the manpage as a single patch near the end because it was just too much trouble to do it piecemeal throughout the set. This patch series went through numerous iterations, so some of the patches may be slightly out of order. Please review as a whole. The patches themselves are separated primarily the way they are to make reviewing easier. Some have notes below to guide the reviewer to changes that may have been revised later but were nontrivial to rewrite history for. Patch 0001: Add objectSID config option This patch adds an option to specify the objectSID attribute on the LDAP server, for use when performing ID-mapping Patch 0002: Add option to enable id-mapping Patch 0003: Add sysdb routines for storing ID maps in the cache Patch 0004: Add helper routines to the LDAP provider for ID mapping This contains the meat of the ID-mapping algorithm. See the manpage in Patch 0020 for full details. Patch 0005: Add options for configuring range settings Patch 0006: LDAP: Initialize ID mapping when configured Patch 0007: Do ID-mapped lookups for users Note: this patch contains a bit of code that has been refactored by the end of the patchset (specifically it references binary_to_dom_sid() and dom_sid_to_string()). I didn't bother rewriting this particular bit of history because it's replaced entirely by Patch 0016 anyway (which uses the correct functions from Sumit's patch). Patch 0008: Add an autorid compatibility mode Autorid assigns slices as first-come-first-served. This will force the LDAP ID-mapping to behave the same way. Patch 0009: Add a feature to guarantee that a single "default" domain is always assigned to slice 0, regardless of hashing. This can be used to extend autorid compatibility mode. Patch 0010: Helper routine to get the domain SID portion from a user or group objectSID Patch 0011: Allow us to auto-provision a new domain when we see one for the first time. Note: this gets turned into its own function in Patch 0018 for reuse in groups and initgroups. Patch 0012: Look up mapped users by UID Patch 0013: Look up mapped groups by name Patch 0014: Look up mapped groups by GID Patch 0015: Map the user's primaryGID. ActiveDirectory stores only the RID of the primary group, so we extract the domain SID from the user SID and then convert the group ID from that. Patch 0016: Common routine to convert an LDAP blob of the objectSID into a UNIX ID. Patch 0017: Hack to ensure that uidNumber and gidNumber are not deleted when we save users and groups. Patch 0018: Convert the auto-provisioning code into a common routine, rather than copying it everywhere. Patch 0019: Handle cases where we have an unmappable ID (such as special-case SIDs) for a group membership. In these cases, we'll treat the groups as non-POSIX so we can safely continue. Patch 0020: (Hopefully) comprehensive manpage on the ID-mapping feature. It's separated into its own include file so that it will be possible to import it into the manpage for the AD provider when that is available.

3 10

can list all users/groups but can't get specific accounts
by Angel Bosch 03 May '12

03 May '12

i'm trying to configure sssd on precise pangolin and I can list all users and groups with getent passwd getent group but if I try to get info for one user I don't get anything getent passwd testuser id testuser I've configured and double checked all settings regarding ldap, even TLS (i've tested renaming cert and naming it back). we expect to perform a pilot migration next month and I would like to use sssd for laptops. please, ask if you want further info or debug files. abosch

3 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel May 2012