[PATCH] print password complexity hint when change password failed
by Pavel Březina
Now the output looks like:
$ su test-user
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Password change failed. Please make sure the password meets the
complexity constraints.
su: incorrect password
10 years, 8 months
[PATCH 1/2] Set default DNS resolution timeout to 15 seconds.
by Michal Židek
https://fedorahosted.org/sssd/ticket/1966 (SSSD failover doesn't work if
the first DNS server in resolv.conf is unavailable).
The problem here is, that if first nameserver in resolv.conf is down,
the resolution is too slow and SSSD will not wait for the result of
ares_search and go offline. In my case the resolution was sometimes more
than a minute, because all search domains in resolv.conf were searched
inside ares_search() call using the first (not working) nameserver in
the first place and then with the working nameserver (and before that,
SSSD tried to figure out the domain name from my incorrectly set
hostname, which added more unnecessary DNS lookups).
To avoid this problem, the option dns_discovery_domain must be set
properly, so that only the correct domain is searched, but even that is
not enough, because the default timeout for dns resolver operation in
sssd is too low. This patch rises the default value to 15 seconds
(instead of 5 seconds).
Another option might be to lower the amount of time ares waits for a
nameserver to respond (currently it is 5 seconds, that is why 5 second
for the entire dns resolution is not sufficient), but I do not want to
do this.
These patches also change man pages, so probably master only (string
freeze)? Even if this is a really small change.
I was also thinking, would it make sense to write a warning to the logs
if the dns_discovery_domain option is not set? It seem to be important
to set it properly for cases like this one.
Thanks
Michal
10 years, 8 months
[PATCH] AD: Cast SASL callbacks to propper type
by Ondrej Kos
Hi,
While working on another issue, I noticed a warning in recently added
code (commit fb945a2c). On F18 the build works fine, but not on F19.
This is caused by the change of cyrus-sasl API, they changed the
*sasl_callback_t* callback member from
int (*proc)();
to
int (*proc)(void);
Attached patch adds typedef for propper cast and fixes the issue.
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
10 years, 8 months
[PATCH] Two minor failover fixes
by Jakub Hrozek
Hi,
I found these when backporting a failover fix for RHEL-6.5. Michal, can
you take a look? I think you know the are best currently.
btw I'm wondering if for SRV resolving we should use a larger timeout as
the operation consists of resolving the SRV query and then the host name
itself..
10 years, 8 months
[PATCHES] Do not call sss_cmd_done in function check_cache
by Lukas Slebodnik
ehlo,
Attached patches should fix https://fedorahosted.org/sssd/ticket/1980
The first patch adds check after sysdb_getnetgr. If sysdb_getnetgr returns more
result than 1, sssd will return error. sysdb_getpwnam has already had
this check.
The second patch removes function call sss_cmd_done inside of check_cache,
because function is sss_cmd_done is called in parent functions.
This was a reason of sssd crash.
How to reproduce this crash.
1.Add Netgroup to sysdb cache with base cn=Netgroups,cn=<domain>,cn=sysdb
This netgroup should have the same attribute (name or nameAlias or memberOf)
as another netgroup.
2. call sudo with user, which is member of ^^^ netgroup.
Those patches fix only sssd crash, but we should find out:
Why were those netgroups stored in sysdb.
LS
10 years, 8 months