sssd-devel November 2013

sssd-devel@lists.fedorahosted.org

18 participants
68 discussions

Makefile split
by Lukas Slebodnik 18 Nov '13

18 Nov '13

ehlo, We have a very big Makefile.am bash$ wc -l Makefile.am 2152 Makefile.am And it will be much bigger, because there is initiative to improve code coverage with unit tests. I have an idea to split current big makefile to smaller ones. If we want to split Makefile it will have pros and cons. Backporting patches to older branches can cause more conflicts, so we should also split Makefile in 1.11 branch. Another problem can be patches on the list will not be able to apply. On the other hand, separated makefiles will be well-arranged and it will be easier to add specific targets to different makefiles. I decided to prepare some proof of concept. Attached patch moves test to separate Makefile in subdirectories with test. 546 lines were removed from main Makefile (size was decreased by 25%). Lot of things can be improved in patch, but main point of this mail is. Does it worth to split makefiles? LS

3 2

[PATCHES] Safealign (acked part)
by Michal Židek 15 Nov '13

15 Nov '13

These patches were already acked by Lukas in different thread, but as he requested, I am sending them in mew thread, so that they do not mix with the rest of the patches from original patchset. Pasting Lukas's acks :) >From fd83c562aa08ef20a5c8be18e5599e953eb7755f Mon Sep 17 00:00:00 2001 > From: Michal Zidek <mzidek(a)redhat.com> > Date: Mon, 26 Aug 2013 14:21:39 +0200 > Subject: [PATCH 2/7] sss_client: Use SAFEALIGN_SETMEM_<type> macros where > appropriate. > > https://fedorahosted.org/sssd/ticket/1359 > --- ACK >From 7bcba9c5aa8b383bb37591ba67478493f557e63d Mon Sep 17 00:00:00 2001 > From: Michal Zidek <mzidek(a)redhat.com> > Date: Tue, 27 Aug 2013 15:18:53 +0200 > Subject: [PATCH 3/7] krb5: Alignment warning reported by clang > > Do not store address from byte buffer into pointer > of diffrent type! > > https://fedorahosted.org/sssd/ticket/1359 > --- ACK >From de6e1491dac29b8415ccd8a8ab17c8242cbc0146 Mon Sep 17 00:00:00 2001 > From: Michal Zidek <mzidek(a)redhat.com> > Date: Fri, 20 Sep 2013 11:49:32 +0200 > Subject: [PATCH 7/7] monitor: Stop using unnecessary helper pointer. > ACK

3 2

[PATCHES] nss: check for Well-Known SIDs in SID based requests
by Sumit Bose 15 Nov '13

15 Nov '13

Hi, with the patch set SSSD can resolve so called Well-Known SID, i.e. SIDs with a special, hard-coded meaning. Currently a man page entry for this feature is missing. I plan to add a common section the sssd-ad and sssd-ipa man pages and a reference to this section in the sssd.conf man page. The man reason to document it is the introduction of reserved domain and user names. With the current patches the reserved domain names are 'NT AUTHORITY' and 'BUILTIN'. The reserved user names are 'NULL SID', 'Everyone', 'LOCAL', 'CONSOLE LOGON', 'CREATOR OWNER', 'CREATOR GROUP', 'CREATOR OWNER SERVER', 'CREATOR GROUP SERVER' and 'OWNER RIGHTS'. The tries to mimic the behaviour of Samba and AD which return a domain or authority name for S-1-5-[0-20] and S-1-5-32-* SIDs but none for S-1-[0-3] SIDs. For the latter it would be possible to add domain/authority names (Null, World, Local, Creator Authority). The leaves us with no reserved user names but more reserved domain names. Any opinions what would be the better approach? A second question is about translation. At least some of the names for the Well-Knowns SIDs are translated in localized version of Windows. Shall we do the same? If yes, is it possible to mark the strings so that the translators see that not a random translation is expected but only the value Windows used in the corresponding localized version? bye, Sumit

3 11

[PATCH] SYSDB: Print message why netgroup cannot be parsed
by Lukas Slebodnik 15 Nov '13

15 Nov '13

ehlo, It was not easy find out why netgroup could not be covert into result entries. Problem was that nisNetgroupTriple contained unexpected string "(,user01)" [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [netgr_example] [sssd[nss]] [lookup_netgr_step] (0x0020): Failed to convert results into entries [sssd[nss]] [nss_cmd_setnetgrent_done] (0x0020): setnetgrent failed [sssd[nss]] [netgr_hash_remove] (0x1000): netgroup [netgr_example] was already removed Simple patch is attached. LS

3 9

[PATCHES] Drop-redundant-sysdb_ctx-parameter
by Michal Židek 15 Nov '13

15 Nov '13

Hello, these patches (made by Jakub and me) remove redundant sysdb_ctx parameter from sysdb API in functions that are closely bound to some domain (sss_domain_info already contains sysdb_ctx, so there is no need to pass it as a separate parameter). NOTE: This is the first wave of sysdb refactoring effort. Other sysdb changes will follow, including ticket https://fedorahosted.org/sssd/ticket/2129 (Always store users with FQDN with hardcoded format), which is change that should simplify handling of 'name' attribute and avoid code patterns like this: if (IS_SUBDOMAIN) { parse name and domain part from 'name' attribute using regular expression (requires initialization of names_ctx). } else { 'name' attribute contains only name } In other words, we should store data in unified manner for main domains as well as for subdomains and avoid the need for regular expressions when simply need to parse name and domain portion from the 'name' attribute. Alternatively we might store name and domain portions in separate attributes instead of one FQDN attribute. Thanks, Michal

4 14

[PATCH] monitor: return right error code
by Lukas Slebodnik 15 Nov '13

15 Nov '13

ehlo, simple patch is attached. LS

3 3

[PATCHES] Alignment issues reported by Clang
by Michal Židek 15 Nov '13

15 Nov '13

Patches 1-4 and 9: These patches use the SAFEALIGN macros where it is appropriate. I split them into several patches for easier review, so that client code changes are not mixed with the rest of the code and changes that are a little different than the rest have their own patch. Patches 5-6: Here I think it is not needed to use uint8_t* or char*. We cast the pointer anyway and there are no real alignment issues (the memory is aligned properly). I was thinking about suppressing the warnings with #pragma here, but in this particular situation it is IMO better to have just void*. Patches 7-8: These were all false positive warnings. It is possible to suppress them with additional casting but I found it less readable so I used #pragma. Patch 10: We had improperly aligned part of a buffer used in client code. Also some code blocks here must rely on fact that the buffer they get is aligned properly (they can do nothing about it if it isn't). In these cases it is better to silence the warnings, so that it does not make permanent noise during compilation. Thanks Michal

5 13

[PATCH] LDAP: Prevent from using uninitialized sdap_options
by Lukas Slebodnik 14 Nov '13

14 Nov '13

ehlo, previously, variable "struct sdap_options *opts" was part of bectx When ldap_get_options failed in time of ldap backend initialisation sdap_options(ctx->opts) remained NULL. After refactoring dcb44c39dda9699cdd6488fd116a51ced0687de3 "LDAP: sdap_id_ctx might contain several connections" talloc_free can be called with uninitialised sdap_options opts if initial call to ldap_get_options fail. I didn't change done section because talloc_free can be safely call with NULL pointer. Simple patch is attached. LS

2 2

[PATCH] PAC: Free config attribute when it's processed
by Jakub Hrozek 14 Nov '13

14 Nov '13

We kept the string form of the PAC UID list allocated on top responder context for no reason.

2 2

Re: [SSSD] auth.log error message: _sasl_plugin_load failed
by Qing Chang 14 Nov '13

14 Nov '13

On 14/11/2013 4:41 AM, sssd-devel-request(a)lists.fedorahosted.org wrote: > Date: Thu, 14 Nov 2013 10:41:45 +0100 From: Jakub Hrozek <jhrozek(a)redhat.com> To: > sssd-devel(a)lists.fedorahosted.org Subject: Re: [SSSD] auth.log error message: _sasl_plugin_load > failed on sasl_canonuser_init for plugin: ldapdb Message-ID: > <20131114094145.GD3266(a)hendrix.brq.redhat.com> Content-Type: text/plain; charset=us-ascii On Wed, > Nov 13, 2013 at 04:19:03PM -0500, Qing Chang wrote: >> >there was a thread on Aug 8, 2013 that was about this error, my situation is >> >a little different. This happens on Ubuntu 12.04 IPA clients, which automounts >> >kerberized NFSv4. >> > >> >I am let to believe that this error may be the cause of a weird problem that >> >users are able to login wither per ssh or lightdm. >> > >> >Open an ssh session, type in username and password, successful authentication >> >is logged in auth.log, but the session just hangs at the login prompt. >> >===== >> >Nov 13 09:52:33 murjo sshd[2746]: pam_unix(sshd:auth): >> >authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >> >rhost=fish user=qchang >> >Nov 13 09:52:34 murjo sshd[2746]: pam_sss(sshd:auth): authentication >> >success; logname= uid=0 euid=0 tty=ssh ruser= rhost=fish user=qchang >> >Nov 13 09:52:34 murjo sshd[2746]: Accepted password for qchang from port 33621 ssh2 >> >Nov 13 09:52:34 murjo sshd[2746]: pam_unix(sshd:session): session opened for user qchang by (uid=0) >> >Nov 13 09:53:04 murjo sssd_be: canonuserfunc error -7 >> >Nov 13 09:53:04 murjo sssd_be: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb >> >Nov 13 09:57:23 murjo sshd[902]: Received signal 15; terminating. >> >Nov 13 09:57:23 murjo sshd[997]: Server listening on 0.0.0.0 port 22. >> >Nov 13 09:57:23 murjo sshd[997]: Server listening on :: port 22. >> >Nov 13 09:57:34 murjo lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0) >> >Nov 13 09:57:34 murjo lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0 >> >Nov 13 09:57:35 murjo dbus[910]: [system] Rejected send message, 2 >> >matched rules; type="method_call", sender=":1.16" (uid=104 pid=1554 >> >comm="/usr/lib/indicator-datetim >> >e/indicator-datetime-ser") >> >interface="org.freedesktop.DBus.Properties" member="GetAll" error >> >name="(unset)" requested_reply="0" destination=":1.9" (uid=0 >> >pid=1400 comm >> >="/usr/sbin/console-kit-daemon --no-daemon ") >> >Nov 13 09:57:43 murjo automount[1725]: canonuserfunc error -7 >> >Nov 13 09:57:43 murjo automount[1725]: _sasl_plugin_load failed on >> >sasl_canonuser_init for plugin: ldapdb >> >Nov 13 09:57:44 murjo automount[1725]: DIGEST-MD5 common mech free >> >Nov 13 09:57:44 murjo automount[1725]: canonuserfunc error -7 > This looks like some kind of cyrus-sasl misconfiguration, not really > anything wrong in the SSSD. > This host is configured as IPA client with kerberized NFSv4, the configuration process involves ipa-client-setup and some ker-NFS related changes, but nothing is done directly regarding cyrus-sasl. How I can find out what has gone wrong? ===== sssd.conf ===== [domain/sri.utoronto.ca] cache_credentials = True krb5_store_password_if_offline = True krb5_renewable_lifetime = 7d krb5_renew_interval = 3600 ipa_domain = sri.utoronto.ca id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa1.sri.utoronto.ca ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = sri.utoronto.ca [nss] [pam] [sudo] [autofs] [ssh] ===== Thanks, Qing

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel November 2013