[PATCH] RESPONDER: Use right function prototype
by Lukas Slebodnik
ehlo,
Protype of function sss_ncache_check_netgr was different than
definition of function sss_ncache_check_netgr. We did not catch it,
because header file "responder/common/negcache.h" was not included in
implementation file "responder/common/negcache.c"
Simple patch is attached.
LS
10 years, 7 months
[PATCH] Two minor man page patches
by Jakub Hrozek
I found these minor issues in our man pages, when triaging support
issues with Red Hat GSS earlier today.
The first patch changes the subtitle of the man pages. I wasn't
completely sure if the title is set to "SSSD config file" on purpose
(after all they do describe the config file, just per-provider), but I
think that at least the Kerberos locator man page should be fixed.
The second patch fixes indentation of programlisting. The programlisting
element makes the text in the element formatted verbatim, so it would
have appeared too much to the right.
10 years, 7 months
Understanding entry_negative_timeout
by Jean-Baptiste Denis
Hello everybody,
I've got an sssd configuration with two ldap domains. The nss part of
the configuration is this one :
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_shell = /bin/bash
entry_negative_timeout = 15
debug_level = 0x02F0
I've got a program that crawl a filesystem. For some reason, a bunch of
files have an uid which do not "resolve" to anything. My ldap backend
are hammered with requests like this one :
slapd[31421]: conn=361745 op=1712 SRCH base="ou=users,dc=example,dc=com"
scope=2 deref=0 filter="(&(uidNumber=1047)(objectClass=posixAccount))
In /var/log/sssd/sssd_nss.log, it correspond to a lot of :
....
[sssd[nss]] [nss_cmd_getpwuid_search] (0x0040): No matching domain found
for [1047], fail!
...
I thought that the "entry_negative_timeout" in the nss part of the
configuration would prevent this kind of behaviour, but I obviously
didn't guess right.
Any advice ?
Jean-Baptiste
10 years, 7 months
[PATCH] AD enumeration improvements
by Jakub Hrozek
Hi,
attached are patches that improve how we enumerate AD domains. The
problem is that currently the domain info (subdomain and master domain)
is downloaded when a responder queries the DP for domain info. But when
enumeration is enabled, the responder might not contact the DP at all as
the enumeration task runs on its own. I think the best solution is to
extend the enumeration task so that it also downloads the domain data
itself.
About the implementation, I was considering two options. One is the way
I took where the enumeration request is simply extended with downloading
master domain data. The other approach I was considering was extending
the generic enumeration request with downloading domain data which the
generic request would just shortcut. While this might seem like a better
approach, it also seemed like a complete overkill..but I'd like to hear
other opinons.
[PATCH 1/3] AD: async request to retrieve master domain info
Adds a reusable async request to download the master domain info.
This patch just splits the master domain request from the subdomain
request.
[PATCH 2/3] LDAP: sdap_id_setup_tasks accepts a custom enum request
AD provider will override the default with its own.
[PATCH 3/3] AD: Download master domain info when enumerating
https://fedorahosted.org/sssd/ticket/2068
Adds the master domain download task before the enumeration.
10 years, 7 months
[PATCH] Add journald support
by Jakub Hrozek
Hi,
attached are two small patches I wrote when I was checking whether
Fedora's move to journald affects us or not. Patch #1 adds a new
configure option, that, if enabled, routes logging via journald's API.
No change in logging format is present in this patch. You need to have
systemd-devel installed -- if the patches are accepted I'll amend the
specfile as well, but I didn't want to waste time now.
Patch #2 adds acts as kind of a demonstration of journald's extended
capabilities. The patch adds a new field that contains SSSD domain name
and makes it easy to distinguish log messages coming from different
domains with:
# journalctl SSSD_DOMAIN=foo.example.com
10 years, 7 months