Makefile split
by Lukas Slebodnik
ehlo,
We have a very big Makefile.am
bash$ wc -l Makefile.am
2152 Makefile.am
And it will be much bigger, because there is initiative to improve code
coverage with unit tests. I have an idea to split current big makefile to
smaller ones. If we want to split Makefile it will have pros and cons.
Backporting patches to older branches can cause more conflicts, so we should
also split Makefile in 1.11 branch. Another problem can be patches on the list
will not be able to apply. On the other hand, separated makefiles will be
well-arranged and it will be easier to add specific targets to different
makefiles.
I decided to prepare some proof of concept. Attached patch moves test to
separate Makefile in subdirectories with test. 546 lines were removed from
main Makefile (size was decreased by 25%). Lot of things can be improved in
patch, but main point of this mail is. Does it worth to split makefiles?
LS
10 years, 5 months
[PATCHES] Safealign (acked part)
by Michal Židek
These patches were already acked by Lukas in different thread, but as he
requested, I am sending them in mew thread, so that they do not mix with
the rest of the patches from original patchset.
Pasting Lukas's acks :)
>From fd83c562aa08ef20a5c8be18e5599e953eb7755f Mon Sep 17 00:00:00 2001
> From: Michal Zidek <mzidek(a)redhat.com>
> Date: Mon, 26 Aug 2013 14:21:39 +0200
> Subject: [PATCH 2/7] sss_client: Use SAFEALIGN_SETMEM_<type> macros where
> appropriate.
>
> https://fedorahosted.org/sssd/ticket/1359
> ---
ACK
>From 7bcba9c5aa8b383bb37591ba67478493f557e63d Mon Sep 17 00:00:00 2001
> From: Michal Zidek <mzidek(a)redhat.com>
> Date: Tue, 27 Aug 2013 15:18:53 +0200
> Subject: [PATCH 3/7] krb5: Alignment warning reported by clang
>
> Do not store address from byte buffer into pointer
> of diffrent type!
>
> https://fedorahosted.org/sssd/ticket/1359
> ---
ACK
>From de6e1491dac29b8415ccd8a8ab17c8242cbc0146 Mon Sep 17 00:00:00 2001
> From: Michal Zidek <mzidek(a)redhat.com>
> Date: Fri, 20 Sep 2013 11:49:32 +0200
> Subject: [PATCH 7/7] monitor: Stop using unnecessary helper pointer.
>
ACK
10 years, 5 months
[PATCHES] nss: check for Well-Known SIDs in SID based requests
by Sumit Bose
Hi,
with the patch set SSSD can resolve so called Well-Known SID, i.e. SIDs
with a special, hard-coded meaning.
Currently a man page entry for this feature is missing. I plan to add a
common section the sssd-ad and sssd-ipa man pages and a reference to
this section in the sssd.conf man page. The man reason to document it is
the introduction of reserved domain and user names. With the current
patches the reserved domain names are 'NT AUTHORITY' and 'BUILTIN'. The
reserved user names are 'NULL SID', 'Everyone', 'LOCAL', 'CONSOLE
LOGON', 'CREATOR OWNER', 'CREATOR GROUP', 'CREATOR OWNER SERVER',
'CREATOR GROUP SERVER' and 'OWNER RIGHTS'. The tries to mimic the
behaviour of Samba and AD which return a domain or authority name for
S-1-5-[0-20] and S-1-5-32-* SIDs but none for S-1-[0-3] SIDs. For the
latter it would be possible to add domain/authority names (Null, World,
Local, Creator Authority). The leaves us with no reserved user names but
more reserved domain names. Any opinions what would be the better
approach?
A second question is about translation. At least some of the names for
the Well-Knowns SIDs are translated in localized version of Windows.
Shall we do the same? If yes, is it possible to mark the strings so
that the translators see that not a random translation is expected but
only the value Windows used in the corresponding localized version?
bye,
Sumit
10 years, 5 months
[PATCH] SYSDB: Print message why netgroup cannot be parsed
by Lukas Slebodnik
ehlo,
It was not easy find out why netgroup could not be covert into result entries.
Problem was that nisNetgroupTriple contained unexpected string "(,user01)"
[sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [netgr_example]
[sssd[nss]] [lookup_netgr_step] (0x0020): Failed to convert results into entries
[sssd[nss]] [nss_cmd_setnetgrent_done] (0x0020): setnetgrent failed
[sssd[nss]] [netgr_hash_remove] (0x1000): netgroup [netgr_example] was already removed
Simple patch is attached.
LS
10 years, 5 months
[PATCHES] Drop-redundant-sysdb_ctx-parameter
by Michal Židek
Hello,
these patches (made by Jakub and me) remove redundant sysdb_ctx
parameter from sysdb API in functions that are closely bound to some
domain (sss_domain_info already contains sysdb_ctx, so there is no need
to pass it as a separate parameter).
NOTE:
This is the first wave of sysdb refactoring effort. Other sysdb changes
will follow, including ticket
https://fedorahosted.org/sssd/ticket/2129
(Always store users with FQDN with hardcoded format), which is change
that should simplify handling of 'name' attribute and avoid code
patterns like this:
if (IS_SUBDOMAIN) {
parse name and domain part from 'name' attribute using
regular expression (requires initialization of names_ctx).
} else {
'name' attribute contains only name
}
In other words, we should store data in unified manner for main domains
as well as for subdomains and avoid the need for regular expressions
when simply need to parse name and domain portion from the 'name'
attribute. Alternatively we might store name and domain portions in
separate attributes instead of one FQDN attribute.
Thanks,
Michal
10 years, 5 months
[PATCHES] Alignment issues reported by Clang
by Michal Židek
Patches 1-4 and 9:
These patches use the SAFEALIGN macros where it is appropriate. I split
them into several patches for easier review, so that client code changes
are not mixed with the rest of the code and changes that are a little
different than the rest have their own patch.
Patches 5-6:
Here I think it is not needed to use uint8_t* or char*. We cast the
pointer anyway and there are no real alignment issues (the memory is
aligned properly). I was thinking about suppressing the warnings with
#pragma here, but in this particular situation it is IMO better to have
just void*.
Patches 7-8:
These were all false positive warnings. It is possible to suppress them
with additional casting but I found it less readable so I used #pragma.
Patch 10:
We had improperly aligned part of a buffer used in client code. Also
some code blocks here must rely on fact that the buffer they get is
aligned properly (they can do nothing about it if it isn't). In these
cases it is better to silence the warnings, so that it does not make
permanent noise during compilation.
Thanks
Michal
10 years, 5 months
[PATCH] LDAP: Prevent from using uninitialized sdap_options
by Lukas Slebodnik
ehlo,
previously, variable "struct sdap_options *opts" was part of bectx
When ldap_get_options failed in time of ldap backend initialisation
sdap_options(ctx->opts) remained NULL.
After refactoring dcb44c39dda9699cdd6488fd116a51ced0687de3
"LDAP: sdap_id_ctx might contain several connections"
talloc_free can be called with uninitialised sdap_options opts
if initial call to ldap_get_options fail.
I didn't change done section because talloc_free can be safely
call with NULL pointer.
Simple patch is attached.
LS
10 years, 5 months
Re: [SSSD] auth.log error message: _sasl_plugin_load failed
by Qing Chang
On 14/11/2013 4:41 AM, sssd-devel-request(a)lists.fedorahosted.org wrote:
> Date: Thu, 14 Nov 2013 10:41:45 +0100 From: Jakub Hrozek <jhrozek(a)redhat.com> To:
> sssd-devel(a)lists.fedorahosted.org Subject: Re: [SSSD] auth.log error message: _sasl_plugin_load
> failed on sasl_canonuser_init for plugin: ldapdb Message-ID:
> <20131114094145.GD3266(a)hendrix.brq.redhat.com> Content-Type: text/plain; charset=us-ascii On Wed,
> Nov 13, 2013 at 04:19:03PM -0500, Qing Chang wrote:
>> >there was a thread on Aug 8, 2013 that was about this error, my situation is
>> >a little different. This happens on Ubuntu 12.04 IPA clients, which automounts
>> >kerberized NFSv4.
>> >
>> >I am let to believe that this error may be the cause of a weird problem that
>> >users are able to login wither per ssh or lightdm.
>> >
>> >Open an ssh session, type in username and password, successful authentication
>> >is logged in auth.log, but the session just hangs at the login prompt.
>> >=====
>> >Nov 13 09:52:33 murjo sshd[2746]: pam_unix(sshd:auth):
>> >authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> >rhost=fish user=qchang
>> >Nov 13 09:52:34 murjo sshd[2746]: pam_sss(sshd:auth): authentication
>> >success; logname= uid=0 euid=0 tty=ssh ruser= rhost=fish user=qchang
>> >Nov 13 09:52:34 murjo sshd[2746]: Accepted password for qchang from port 33621 ssh2
>> >Nov 13 09:52:34 murjo sshd[2746]: pam_unix(sshd:session): session opened for user qchang by (uid=0)
>> >Nov 13 09:53:04 murjo sssd_be: canonuserfunc error -7
>> >Nov 13 09:53:04 murjo sssd_be: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
>> >Nov 13 09:57:23 murjo sshd[902]: Received signal 15; terminating.
>> >Nov 13 09:57:23 murjo sshd[997]: Server listening on 0.0.0.0 port 22.
>> >Nov 13 09:57:23 murjo sshd[997]: Server listening on :: port 22.
>> >Nov 13 09:57:34 murjo lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0)
>> >Nov 13 09:57:34 murjo lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
>> >Nov 13 09:57:35 murjo dbus[910]: [system] Rejected send message, 2
>> >matched rules; type="method_call", sender=":1.16" (uid=104 pid=1554
>> >comm="/usr/lib/indicator-datetim
>> >e/indicator-datetime-ser")
>> >interface="org.freedesktop.DBus.Properties" member="GetAll" error
>> >name="(unset)" requested_reply="0" destination=":1.9" (uid=0
>> >pid=1400 comm
>> >="/usr/sbin/console-kit-daemon --no-daemon ")
>> >Nov 13 09:57:43 murjo automount[1725]: canonuserfunc error -7
>> >Nov 13 09:57:43 murjo automount[1725]: _sasl_plugin_load failed on
>> >sasl_canonuser_init for plugin: ldapdb
>> >Nov 13 09:57:44 murjo automount[1725]: DIGEST-MD5 common mech free
>> >Nov 13 09:57:44 murjo automount[1725]: canonuserfunc error -7
> This looks like some kind of cyrus-sasl misconfiguration, not really
> anything wrong in the SSSD.
>
This host is configured as IPA client with kerberized NFSv4, the configuration process
involves ipa-client-setup and some ker-NFS related changes, but nothing is done
directly regarding cyrus-sasl. How I can find out what has gone wrong?
===== sssd.conf =====
[domain/sri.utoronto.ca]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_renewable_lifetime = 7d
krb5_renew_interval = 3600
ipa_domain = sri.utoronto.ca
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipa1.sri.utoronto.ca
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam
config_file_version = 2
domains = sri.utoronto.ca
[nss]
[pam]
[sudo]
[autofs]
[ssh]
=====
Thanks,
Qing
10 years, 5 months