May 2013 - sssd-devel - Fedora Mailing-Lists

[PATCH] tests: Do not set cwd twice

by Jakub Hrozek

I noticed that the dyndns test set the cwd twice. It didn't cause any issues, but it's not correct either.

10 years, 6 months

2
2
0 / 0

Active Directory Integration test day invitation

by Jakub Hrozek

The realmd and SSSD development teams are happy to invite you to a Fedora Test Day that will be held on Thursday, May 9th. We invite you to take part in testing of the new features that will become available in upcoming upstream releases of realmd and SSSD and would be a part of Fedora 19. The features are mostly focused on better Active Directory integration and to some extent easier way of joining clients to an IPA domain using realmd. To read more about the test day and suggested tests use the following link https://fedoraproject.org/wiki/Test_Day:2013-05-09_SSSD_Improvements_and_... The tests in particular can be previewed using this link: https://fedoraproject.org/wiki/Category:Active_Directory_Test_Cases https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases Even if you do not plan on following the test cases themselves, consider joining the test day to see if the new realmd or SSSD features are usable and working in your environment or just to see if your current workflow is not affected in any way by the recent changes in either SSSD or realmd. Thank you for your help and participation!

10 years, 6 months

2
11
0 / 0

beta1 runtime error acl.c

by steve

Hi openSUSE 12.3 The build and install goes OK but upon running sssd: sssd -i -d3 ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.1.14 module_version=1.1.15 ldb: failed to initialise module /usr/lib/ldb/acl.so : Unavailable (Fri May 10 09:56:58:975063 2013) [sssd] [load_configuration] (0x0010): The confdb initialization failed (Fri May 10 09:56:58:981620 2013) [sssd] [main] (0x0020): SSSD couldn't load the configuration database. Any ideas? Cheers, Steve

10 years, 7 months

4
12
0 / 0

LDAP Service Discovery Problem

by Joshua Riffle

I was unable to find a way of searching the current SSSD archives in development but I found the following issue in an attempt to combine SASL (Kerberos) and LDAP service discovery. In the case of service discovery there seems to be no way of getting LDAP to be treated as LDAPS (secure) and I think this may be leading to a segmentation fault in the sss_ldap library. In order for LDAP and Kerberos service discovery to work there needs to be the following basic records in the configured DNS (where kerberos.my-domain.com and ldap.my-domain.com are the two servers in question): $ORIGIN my-domain.com _kerberos TXT "MY-DOMAIN.COM" _kerberos._udp SRV 0 0 88 kerberos _kerberos-master._udp SRV 0 0 88 kerberos _kerberos-adm._tcp SRV 0 0 749 kerberos _kpasswd._tcp SRV 0 0 464 kerberos _kpasswd._udp SRV 0 0 464 kerberos _ldap._tcp SRV 0 0 636 ldap The SSSD client appears to perform DNS discovery just fine: (Thu May 9 11:54:53 2013) [sssd[be[default]]] [sssm_ldap_id_init] (0x1000): Service name for discovery set to ldap (Thu May 9 11:54:53 2013) [sssd[be[default]]] [fo_new_service] (0x0400): Creating new service 'LDAP' (Thu May 9 11:54:53 2013) [sssd[be[default]]] [sdap_service_init] (0x0100): No primary servers defined, using service discovery (Thu May 9 11:54:53 2013) [sssd[be[default]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'LDAP' using 'tcp'. (Thu May 9 11:54:53 2013) [sssd[be[default]]] [fo_new_service] (0x0400): Creating new service 'KERBEROS' (Thu May 9 11:54:53 2013) [sssd[be[default]]] [krb5_service_init] (0x0100): No primary servers defined, using service discovery (Thu May 9 11:54:53 2013) [sssd[be[default]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'KERBEROS' using 'udp'. (Thu May 9 11:54:53 2013) [sssd[be[default]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'KERBEROS' using 'tcp'. (Thu May 9 11:54:53 2013) [sssd[be[default]]] [krb5_servers_init] (0x0400): Added service lookup .... And then later when I attempt to lookup user information (id fred). It successfully finds the services: (Thu May 9 11:57:03 2013) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu May 9 11:57:03 2013) [sssd[be[default]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Thu May 9 11:57:03 2013) [sssd[be[default]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolve_srv_send] (0x0400): SRV resolution of service 'LDAP'. dns_discovery_domain not specified. Need to look it up. (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolve_get_domain_send] (0x1000): Host name is: ldap.my-domain.com (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_is_address] (0x4000): [ldap.my-domain.com] does not look like an IP address (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' ldap.my-domain.com' in files (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ldap.my-domain.com' in files (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' ldap.my-domain.com' in DNS (Thu May 9 11:57:03 2013) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Thu May 9 11:57:03 2013) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Thu May 9 11:57:03 2013) [sssd[be[default]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Thu May 9 11:57:03 2013) [sssd[be[default]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Thu May 9 11:57:03 2013) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch And Kerberos DNS discovery works... (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_KERBEROS._udp.my-domain.com' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.my-domain.com' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Thu May 9 12:04:30 2013) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Thu May 9 12:04:30 2013) [sssd[be[default]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Thu May 9 12:04:30 2013) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolve_srv_done] (0x0400): Inserted server 'kerberos.my-domain.com:88' for service KERBEROS (Thu May 9 12:04:30 2013) [sssd[be[default]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [get_server_status] (0x1000): Status of server 'kerberos.my-domain.com' is 'name not resolved' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_is_address] (0x4000): [kerberos.my-domain.com] does not look like an IP address (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' kerberos.my-domain.com' in files (Thu May 9 12:04:30 2013) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'kerberos.my-domain.com' as 'resolving name' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'kerberos.my-domain.com' in files (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Thu May 9 12:04:30 2013) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' kerberos.my-domain.com' in DNS But refuses to construct the URI for LDAP in the discovery service as *ldaps * (which is correct!) and instead makes it regular old *ldap* which is bound to fail. (Thu May 9 12:04:30 2013) [sssd[be[default]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://ldap.my-domain.com:636' (Thu May 9 12:04:30 2013) [sssd[be[default]]] [sss_ldap_init_send] (0x4000): Using file descriptor [22] for LDAP connection. (Thu May 9 12:04:30 2013) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu May 9 12:04:30 2013) [sssd[be[default]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// ldap.my-domain.com:636/??base] with fd [22]. (Thu May 9 12:04:30 2013) [sssd[be[default]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse My thought was to change my SRV record from _ldap (the service name) to _ldaps but then Service Discovery in SSSD doesn't find an LDAP server! Any suggestions? The bad part is with this current configuration it also causes a SEGFAULT in libldap (insult to injury) which it appears to happen right after the attempt to connect to the wrongly constructed LDAP URI: May 9 12:04:31 ldap kernel: sssd_be[10292]: segfault at 20 ip 0000003e51218561 sp 00007fffd49ef310 error 4 in libldap-2.4.so.2.5.6[3e51200000+49000] May 9 12:04:31 ldap abrt[10301]: Can't open /proc/10292/status: No such file or directory May 9 12:04:31 ldap sssd[be[default]]: Starting up Versions - *Kernel:* Linux ldap.my-domain.com 2.6.32-358.6.1.el6.x86_64 #1 SMP Fri Mar 29 16:51:51 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux *SSSD:* sssd.x86_64 1.9.2-82.7.el6_4 sssd-client.x86_64 1.9.2-82.7.el6_4 Here's my /etc/sssd/sssd.conf file: [domain/default] debug_level = 0xFFF0 ldap_krb5_init_creds = true ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ldap.my-domain.com ldap_id_use_start_tls = false cache_credentials = True ldap_search_base = dc=my-domain,dc=com krb5_realm = MY-DOMAIN.COM id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_kpasswd = kerberos.my-domain.com [sssd] config_file_version = 2 services = nss, pam domains = default [nss] [pam] Note: There is a valid Kerberos key in /etc/krb5.keytab for host/ ldap.my-domain.com and krb5.conf is configured with the realm MY-DOMAIN.COM Joshua Riffle Software Engineer *Azusa Pacific University*

10 years, 7 months

4
6
0 / 0

GSoC Application : Implement a battery of unit tests for SSSD

by Abhishek Singh

Hi Jakub, I have completed writing my proposal on the topic "Implement a battery of unit tests for SSSD. Please review the proposal. My application link : https://fedoraproject.org/wiki/GSOC_2013/Student_Application_abhisheksingh Thanks, Abhishek

10 years, 7 months

2
6
0 / 0

[PATCH] 1.9 only, sudo responder: use fully qualified name for subdomain users

by Pavel Březina

https://fedorahosted.org/sssd/ticket/1912 Intended for 1.9 branch only. I will prepare a new one for master.

10 years, 7 months

2
2
0 / 0

[PATCH] sudo responder: search rules for subdomains in parent domain subtree

by Pavel Březina

https://fedorahosted.org/sssd/ticket/1912 This patch is intended for master only.

10 years, 7 months

2
2
0 / 0

[PATCH] Fix missing initialization in Python bindings for libsss_nss_idmap

by Sumit Bose

Hi, while testing other siff I came across this issue. It does not affect the FreeIPA SID-to-name lookups but should be fixed anyways. bye, Sumit

10 years, 7 months

2
2
0 / 0

[PATCHES] SUDO: IPA provider

by Lukas Slebodnik

ehlo, I am attaching two patches. First patch make retrieving host information more reusable. It is a preparation for easily reusing existing ldap code in SUDO IPA provider in second patch. I am attaching two patches. First patch make retrieving host information much more reusable. It is a preparation for easily reusing existing ldap code in SUDO IPA provider in the second patch. LS

10 years, 7 months

3
14
0 / 0

[PATCH] Add missing \n to debug string

by Sumit Bose

Hi, this is just a simple one-liner I came across. bye, Sumit

10 years, 7 months

3
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel May 2013