Subdomains and access provider
by Dmitri Pal
Hello,
When one uses SSSD with AD provider but user comes from a subdomain
there are implications for the access provider. AFAIU we have a ticket
for simple access provider: https://fedorahosted.org/sssd/ticket/2034
but what about other access providers? What are the implications? And
what would be the best practices in configuring SSSD in this case? What
access provider would we recommend?
I envision a wiki page titled: "HOWTO/Selecting the best access control
configuration for the SSSD AD provider". That should cover different use
cases and give recommendations based on the use case.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
10 years, 7 months
[PATCH] mmap_cache: Do not remove record from chain twice
by Lukas Slebodnik
ehlo,
It is not very likely, that record will have the same hash1 and hash2, but it
is possible. In this situation, it does not make sense to remove record twice.
Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash
in this situation. It was only possible if record was alone in chain.
The reproducer is very simple name and uid must be the same. (and we should
wait until this record will be removed)
We solved problem with in mmap_cache with commit
4662725ffef62b3b2502481438effa7c8fef9f80
"mmap_cache: Skip records which doesn't have same hash"
Although this problem was solved, user reported another crash
https://bugzilla.redhat.com/show_bug.cgi?id=997406#c12
He wrote:
>On my first runs it also did not core dump for days ... also in this
>testing cycle I only had those two core dumps yesterday but no more -
>eems difficult to reproduce even in my environment.
I was unable to reproduce user crash, so I decided to decrease size of
hash_table (16 times) and I hit this issue. Backtrace from BZ997406#c12 looks
differently; I am still trying to reproduce his issue.
Patch is attached.
LS
BTW: I was very lucky, because I ran into situation, record had the same
hashes for name and uid
(gdb) call sss_mc_hash(mcc, "testbigldap121129", 18)
$18 = 1532
(gdb) p sss_mc_hash(mcc, "121129", 7)
$19 = 1532
(gdb) p mcc->ht_size
$20 = 25000
10 years, 7 months
[PATCH] expand_ccname_template: fixes and tests
by Sumit Bose
Hi,
while looking at expand_ccname_template() becasue of shadowing rewind()
I realized that there a some issues with some of the new krb5.conf
templates. This patch fixes them and adds some tests to avoid similar
issues in the future.
There is one change in behaviour. If the name in the %{} braces does not
match any of the known krb5.conf templates for UNIX the new code returns
an error while the old just returned something, which in most case will
not be the original input. Please tell me if you prefer the original
input in this case so that I can change the patch accordingly.
bye,
Sumit
10 years, 7 months
[PATCH] Fix bug in Makefile.am
by Simo Sorce
I found this while working on a different patch.
Looks like a simple copy&paste error.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years, 7 months
[PATCHES] Remove requests when AD subdomain goes away
by Ondrej Kos
Hi,
Attached are three patches,
[PATCH 1/3] Make subdomain refresh period configurable
* Adds the ad_subdomain_refresh_period and ipa_subdomain_refresh_period
configuration options. This isn't needed to be pushed, but I think it
can be beneficial. Also, I needed to write this anyway to work with the
refresh.
[PATCH 2/3] DP: Store list of back-end tevent requests
* Adds every created request to list, and removes every terminated. This
is to enable iteration through active requests, to fix the issue
addressed in https://fedorahosted.org/sssd/ticket/1968
[PATCH 3/3] Clean list of domain requests
* fixes https://fedorahosted.org/sssd/ticket/1968
* Goes through the list of tevent requests introduced in previous patch
an those, which match the vanished domain are terminated.
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
10 years, 7 months
[PATCH] AD: Rename parametrized #define
by Jakub Hrozek
This is a real nitpick, but I think any string constants that contain a
printf-like format specifier should be named so that their name include
FMT, TMPL or similar to minimize the rist of being used in a wrong way.
10 years, 7 months
[PATCH 1/1] Fix reference to sssd-krb5 man page
by Nikolai Kondrashov
Replace incorrect reference to "sssd-krb5.conf" manpage with the correct
"sssd-krb5" in sssd_krb5_locator_plugin man page source.
---
src/man/sssd_krb5_locator_plugin.8.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml
index 824b35f..ab28e12 100644
--- a/src/man/sssd_krb5_locator_plugin.8.xml
+++ b/src/man/sssd_krb5_locator_plugin.8.xml
@@ -40,7 +40,7 @@
</citerefentry>
as described in
<citerefentry>
- <refentrytitle>sssd-krb5.conf</refentrytitle>
+ <refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
</para>
--
1.7.10.4
10 years, 7 months