Is there a way to enable debug logging for the underlying samba libraries that sssd makes use of (e.g. libtevent, libldb, etc). I am able to enable sssd debug logging by inserting "debug_level = x" statements in each sssd.conf stanza I care about. Does sssd propagate this debug level to the samba libraries that it uses? Does sssd require /etc/samba/smb.conf to exist and be correctly configured in order to enable samba debugging?
I've been assigned ticket https://fedorahosted.org/sssd/ticket/1713:
[RFE] Add a task to the SSSD to periodically refresh cached entries
I have recently created a ticket (#1891) to unite API for managing
periodic tasks. We already quite a periodic task (enumeration, sudo,
dyndns, #1713) when each of them implements custom API.
None of these are generic enough to be used for #1713 so I will have to
create a new one. I'm not suggesting to refactor the old code now, that
will be done when #1891 is scheduled.
But I think it is a good idea to create the generic one now instead of a
new feature-specific. It will be basically the same amount of work.
I wrote a design document:
=== SSSD 1.10 Beta 1 ===
The SSSD team is proud to announce the beta release of version 1.10 of
the System Security Services Daemon.
This beta release includes several new features, mostly targeted at better
integration with Microsoft Active Directory.
As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.
The SSSD 1.10 Beta 2 release is tentatively scheduled for next week,
before the Fedora Test Day which will happen on May 9th. The Beta 2
release will contain the remaining features we finish before the Test Day.
There might be another pre-release if any of the planned features are not
ready for the test day, after this last pre-release, the SSSD will enter a
period of string-freeze and the 1.10 development will switch to bug fixing
in preparation for the 1.10 final release.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
== Highlights ==
* The Active Directory provider now includes support for Site-based
discovery. This feature allows the Active Directory clients to find the
most suitable Domain Controller to connect to.
* Support for dynamic DNS updates in the Active Directory provider. This
feature enables the clients to automatically update or refresh their DNS
records stored in the AD server.
* A new library, called libsss_nss_idmap was introduced. This library
allows the user to convert Windows Security Identifiers (SIDs) to names
and vice versa. The library also includes Python bindings.
* Setting the SELinux context on the IPA server now also works for users
coming from a trusted Active Directory domain
* Fixed a serious performance issue when enumerating large number of users
* The subdomain_homedir configuration option gained a new template expansion
%F that expands to the flat name (NetBIOS name) of the trusted AD domain
== Packaging Changes ==
* The SSSD python ConfigAPI was moved to its own noarch subpackage to
make the SSSD packaging more compliant with the Fedora packaging guidelines
* The libsss_nss_idmap library and its Python bindings are packaged in
== Tickets Fixed ==
[RFE] Replace pam status codes with sssd specific codes
[RFE] Allow setting krb5_renew_interval with a delimiter
[RFE] sssd should support DNS sites
[RFE] Improve syslog message when configuration cannot be loaded
[RFE] Subdomain homedir template should be configurable/use flatname by default
Confusing error messages for invalid sssd.conf
sss_cache doesn't support subdomains
move processing of password expiration back to PAM provider only
rewrite nested group processing to follow the tevent_req coding style
Use new interface from ding-libs ini interface
Document that SSSD domains should only be named using ASCII characters
make the authtok structure really opaque
Incorrect *.py[co] files placement
Allow usage of enterprise principals
add a call to calculated the range for a given domain SID to libsss_idmap
unused parameter in ipa_selinux handler
pidfile() may leak memory on error
potential out-of-bounds-write in sss_idmap_sid_to_dom_sid
negative return in files.c
Bad comparisons in checks found by new Coverity instance
Logically dead code in tools_util.c
document that AD provider is always case insensitive
ding-libs.dhash: uninitialized pointer read
freeipa 3.2 trusted ad user not listed in external group
coverity: dead code in sudo client
SSSD doesn't display warning for last grace login.
In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name failed' error when AD user tries to login via ipa client.
== Detailed Changelog ==
Abhishek Singh (3):
* cmocka unittest for find_uid added
* cmocka unittest for io added
* Fix segmentation fault in test_io.
Ariel Barria (2):
* Allow setting krb5_renew_interval with a delimiter
* Confusing error messages for invalid sssd.conf
Jakub Hrozek (38):
* Updating the version for the 1.10 beta1 release
* krb5 child: Use the correct type when processing OTP
* pidfile(): Do not leak fd on error
* Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sid
* Return errno, not -1 on failure in files.c
* Check for correct variable name
* Init failover with be_res options
* Centralize resolv_init, remove resolv context list
* dyndns: Fix initializing sdap_id_ctx
* Check for the correct variables
* Allocate PAM DP request data on responder context
* LDAP: Always fail if a map can't be found
* Put the override_homedir into an included xml file
* Allow using flatname for subdomain home dir template
* Fix simple access group control in case-insensitive domains
* Make leak checks usable in tests that do not utilize check
* tests: Fix the order of key/values
* LDAP: do not invalidate pointer with realloc while processing ghost users
* Convert the simple access check to new error codes
* tests: Link the simple access tests with -ldl
* Do not keep growing event context
* Document the naming convention for SSSD domains
* Document that the AD provider is case-insensitive
* selinux: if no domain matches, make the debug message louder
* Only try to relink ghost users if we're not enumerating
* Display the last grace warning, too
* Refactor dynamic DNS updates
* Convert IPA-specific options to be back-end agnostic
* dyndns: new option dyndns_refresh_interval
* resolver: Return PTR record as string
* dyndns: New option dyndns_update_ptr
* dyndns: new option dyndns_force_tcp
* dyndns: new option dyndns_auth
* Split out the common code from timed DNS updates
* Active Directory dynamic DNS updates
* AD: Always initialize ID mapping
* Only check UPN if enterprise principals are not used
* Updating the translations for the 1.10 beta1 release
Jan Cholasta (1):
* Add exit status section to sss_ssh_* man pages
Lukas Slebodnik (5):
* LDAP: Fix value initialization warnings
* Incorrect *.py[co] files placement
* Fix krbcc dir creation issue with MIT krb5 1.11
* Default TEST_DIR to cwd, not empty string if not set explicitly
* SUDO: IPA provider
Michal Zidek (6):
* Check for waitpid failure at wrong place.
* Wrong condition after waitpid.
* sss_cache: support for subdomains
* sss_cache: Remove annoying messages
* Inform about function duplication.
* libsss_idmap: function to calculate range
Ondrej Kos (3):
* DB: Switch to new libini_config API
* CONFDB: prevent double free
* IDMAP: Fix variable initialization
Pavel Březina (18):
* resolv: add resolv_get_domain request to resolv utils
* resolv: add resolv_discover_srv request to resolv utils
* DNS sites support - SRV lookup plugin interface
* DNS sites support - SRV DNS lookup plugin
* fail over - add function to insert multiple servers to the list
* DNS sites support - replace SRV lookup code with a plugin call
* DNS sites support - use SRV DNS lookup plugin in all providers
* DNS sites support - add IPA SRV plugin
* sudo client: remove dead code
* add fo_discover_servers request
* IPA SRV plugin: use fo_discover_servers request
* IPA SRV plugin: improve debugging
* sdap: add sdap_connect_host request
* add sss_ldap_encode_ndr_uint32
* DNS sites support - add AD SRV plugin
* dns srv plugin: compare domain names case insensitive
* AD SRV plugin: check if site name is empty
* fo_discover_servers_send: don't crash when backup_domain is NULL
Simo Sorce (1):
* Further restrict become_user drop of privileges.
Sumit Bose (21):
* Fix and rename get_my_domain_data()
* Refactoring: remove duplicated code in nss responder
* Allow usage of enterprise principals
* Make IPA SELinux provider aware of subdomain users
* Add override_homedir.xml to po4a.cfg
* Remove unused TALLOC_CTX from responder_get_domain()
* responder_get_domain: do not return disabled domains
* responder_get_domain(): remove timeout calculation
* LDAP: always store SID if available
* Add secid filter to responder-dp protocol
* Add two new request types to the data-provider interface
* Add idmap context to nss context
* Add responder_get_domain_by_id()
* sysdb: add sysdb_search_object_by_sid()
* Add sss_ncache_set_sid() and sss_ncache_check_sid()
* Remove unused attribute list
* Use struct to hold different types of request parameters
* Add SID related lookups to IPA subdomains
* Add SID related calls to the NSS responder
* Add client library for SID related lookups
* Add python interface to libsss_nss_idmap
Yuri Chornoivan (1):
* Fix typos in man pages
Currently when enterprise principals are enabled in the AD provider, we
check if the UPN is the same as we'd expect. But when enterprise
principals are enabled (which is by default in AD provider), then the
principal krb5_child returns is different from what SSSD expects.
Sumit, you wrote the enterprise principal support, do you know if there
is a better way than disabling the check altogether? Can we expect the
principal in the form krb5_child sends it? This is how the principal
looked on my setup for user "testlogin:
Ticket cache: DIR::/run/user/947005183/krb5cc/tktDSjgIe
Default principal: testlogin\@SSSD-AD.TEST(a)SSSD-AD.TEST
Valid starting Expires Service principal
05/03/13 17:52:32 05/04/13 03:52:32 krbtgt/SSSD-AD.TEST(a)SSSD-AD.TEST
renew until 05/10/13 17:52:32
the attached patches implement a couple of new dynamic DNS options. The
AD dyndns code will be just a wrapper around these options.
[PATCH 1/5] dyndns: new option dyndns_refresh_interval
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
There is one place (in IPA dyndns code in this patch but also in AD code
later on) that I wanted to discuss specifically. It may happen that the
periodic update would trigger going online in which case the online
callback would fire and another dyndns update would be invoked as an
online callback. To prevent a race between these two updates, there is
an interval, currently hardcoded to 60 seconds that would just make the
next update quit without doing anything. Ideas on how to fix the problem
without a hardcoded timeout are welcome.
[PATCH 2/5] resolver: Return PTR record as string
Having the possibility to format a PTR record based on an A/AAAA record
is a requirement to update the PTR records.
Includes a unit test.
[PATCH 3/5] dyndns: New option dyndns_update_ptr
While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.
The PTR update is performed separately from the forward record update
mostly because the current IPA dyndns code allows the zone to be
specified in the message, so another zone must be updated using another
This option is off by default in the IPA provider.
[PATCH 4/5] dyndns: new option dyndns_use_tcp
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
[PATCH 5/5] dyndns: new option dyndns_auth
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
These two patches depend on patches in that decouple the memory checking
from the check tool.
[PATCH 1/2] Refactor dynamic DNS updates
Provides two new layers instead of the previous IPA specific layer
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its purpose
it to make it possible for any back end to use dynamic DNS updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
Also converts the dyndns code to new specific error codes.
The DP layer includes unit tests that also make sure that
https://fedorahosted.org/sssd/ticket/1802 is fixed.
[PATCH 2/2] Convert IPA-specific options to be back-end agnostic
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
These options will be reused in the AD dynamic DNS updates code.