[PATCHES] Format string issues
by Lukas Slebodnik
ehlo,
Few weeks ago, I sent a big patch with fixed format string issues.
I didn't catch few things. Three patches are attached. ((Review should be
easier with separated patches.)
I can squash them into one packet, if it will be problem.
LS
10 years, 9 months
Announcing SSSD 1.10.1
by Jakub Hrozek
=== SSSD 1.10.1 ===
The SSSD team is proud to announce the release of version 1.10.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Another case where the dircache might have been created with the UID
of root was fixed
* Fixed a sssd_be crash in case the dynamic DNS update timed out
* Several packaging bugs that were introduced as a result of splitting
out the providers into separate subpackages was fixed
* The SRV resolution status is now correctly reset after receiving
notification about changed network conditions
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1778
Do not copy special files when creating a home directory from a skeldir
https://fedorahosted.org/sssd/ticket/1814
Empty Kerberos passwords handled incorrectly
https://fedorahosted.org/sssd/ticket/1827
Cannot change expired password of an AD user
https://fedorahosted.org/sssd/ticket/1846
cyclic group memberships may not work depending on order of operations
https://fedorahosted.org/sssd/ticket/1933
sssd fails to resolve hosts/services once the network is up
https://fedorahosted.org/sssd/ticket/1935
Several translated man pages are malformed
https://fedorahosted.org/sssd/ticket/1984
sssd-common requires libndr due to pac responder dependency
https://fedorahosted.org/sssd/ticket/1992
AD dyndns update crashed after attempting to update a standalone DNS server
https://fedorahosted.org/sssd/ticket/1999
shadowLastChange updates even when PAM reports password change failed
https://fedorahosted.org/sssd/ticket/2002
cc_residual_is_used might not work correctly with dircache
== Detailed Changelog ==
Jakub Hrozek (5):
* Updating the version for the 1.10.1 release
* RPM: Move sssd_pac to the krb5-common subpackage
* DB: sysdb_search_user_by_name: search by both name and alias
* RPM: Require libsss_idmap from sssd-common
* Updating translations for the 1.10.1 release
Jim Collins (1):
* ldap: only update shadowLastChange when password change is successful
Lukas Slebodnik (2):
* Return right directory name for dircache
* Every time use permissive control in function memberof_mod.
Michal Zidek (1):
* Always set port status to neutral when resetting service.
Ondrej Kos (5):
* Do not copy special files when creating homedir
* KRB5_CHILD: Fix handling of get_password return code
* Do not try to set password when authtok_length is zero
* KRB: Handle empty password gracefully
* KRB: Replace multiple calls with variable
Pavel Březina (3):
* print hint about password complexity when new password is rejected
* dyndns timeout test: catch SIGCHLD handler events
* SIGCHLD handler: do not call callback when pvt data where freed
Stephen Gallagher (3):
* Move pre and post scripts to sssd-common
* Remove sysv->systemd upgrade routines
* Move sssd_pac binary to the IPA and AD providers
== Packaging Changes ==
* The sssd_pac binary is now owned by the IPA and AD providers
* The sysv->systemd upgrade routines were removed
* Several packaging fixes
10 years, 9 months
[PATCH] Do not try to set password when authtok_length is zero
by Ondrej Kos
The problem here wasn't in returned error code, but in faultly read DBUS
message, due to condition in sss_authtok_set_string.
When password is empty, it passes 0 as length, which is misinterpreted,
and the function tries to determine the length of string by itself,
reaching over boundaries of authtok string.
trac issue: https://fedorahosted.org/sssd/ticket/1814
Patch is attached
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
10 years, 9 months
Planning the 1.10.1 release
by Jakub Hrozek
Hi,
I'd like to propose that we release 1.10.1 and target the rest of the 1.10 open
bugs for 1.10.2. I think there are enough bugs fixed upstream to justify
the release. In particular:
* Another dircache creation issue where the directory might be
created with UID 0. There was a user on #sssd who hit the problem
and another one contacted me with e-mail directly.
* sssd_be process might crash in case of dyndns update timeout. There
were several bug reports about this problem already
* Several packaging patches that fixed problems introduced by the
split of providers into subpackages
* In case SRV resolution failed (which is quite common these
days after bootup if NM is used as resolv.conf might be empty) we
didn't re-set the server status properly when we received inotify
nofitication about resolv.conf being updated.
Are there any objections against releasing the 1.10.1 tarball ? If not I
would do the release either later today or tomorrow. Probably the
latter so that the US colleagues have enough time to voice concerns
about the release.
10 years, 9 months
[PATCH] fix dyndns crash on timeout
by Pavel Březina
Unfortunately, the reported did not provide logs from the time of crash.
The backtrace only says that it occurred in nsupdate_child_handler() but
I'm very confident that the root cause was that the dyndns update
reached timeout.
The first patch fixes dyndns unit tests to actually reveal the crash.
Cooler solution would be to use tevent_loop_wait(), but it contains an
issue due to which it is not possible. This issue was reported on Samba
mailing list:
https://lists.samba.org/archive/samba-technical/2013-June/093457.html
Second patch will fix the crash.
What is the difference between child_sig_handler() which uses context
suffixed with _old and sss_sigchld_init()? Would it make sense to update
the code to the new sigchld handler?
10 years, 9 months
[PATCH] Every time use permissive control in function memberof_mod.
by Lukas Slebodnik
ehlo,
Group structure is described in ticket https://fedorahosted.org/sssd/ticket/1846
Please ensure that sysdb cache is empty.
call command "getent group cyclegroup1"
sssd_be will call following function:
a) sdap_store_group_with_gid (name:cyclegroup1)
--added attributes [ ghost: user1, origMember: user1, ... ]
b) sdap_store_group_with_gid (name:cyclegroup2)
--added attributes [ ghost: user2, origMember: user2, ... ]
c) sdap_save_grpmem (name:cyclegroup1)
--added attributes [ member:cyclegroup2, ... ]
d) sdap_save_grpmem (name:cyclegroup2)
--added attributes [ member:cyclegroup1, ... ]
Subtransaction "d)" will fail and log file contains:
[ldb] (0x4000): will add 2 ghost users to 1 parents
... snip ...
[ldb] (0x4000): cancel ldb transaction (nesting: 2)
[sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
[sysdb_set_entry_attr] (0x0400): Error: 17 (File exists)
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_save_grpmem] (0x0040): Failed to save user cyclegroup2
[sdap_save_groups] (0x0040): Failed to store group 1 members.
[ldb] (0x4000): commit ldb transaction (nesting: 1)
[ldb] (0x4000): commit ldb transaction (nesting: 0)
Attached patch should fix this bug.
LS
10 years, 9 months
[PATCH] LDAP: When resolving a SID, search for groups first, then users
by Jakub Hrozek
This is a performance enhancement for the SID2name resolution. On most
clients, resolving a group SID to name is much more frequent operation
as it's performed during login to resolve a group SID. Therefore we
should try the group first and then users.
The attached patch switches the order of operations. No other functional
change is present there.
10 years, 9 months
[PATCH] remove unused variable
by Pavel Březina
The recent patch that removes unused parameter nctx introduced an unused
variable. I'm sorry for the fuss, I was missing -Werror in cflags and
didn't noticed the warning before.
10 years, 9 months
