On taking over serving Local user accounts
by Simo Sorce
One of the plans for better desktop integration is to slowly take over
local accounts by creating a new provider that uses system files
(passwd, shadow, group, etc...) and augments them with additional
information maintained in sssd's long term cache.
Part of this plan calls for changing how nsswitch is configured so that
the sss nsswitch module comes first. This is useful for a variety of
reasons, including that we can cache in the fast cache user's from
passwd/group too and do not pay the penalty of going through the slower
nss_files provider for each request.
However this comes with a gotcha when sssd is stopped, as the cache will
not be updated. This is particularly important at bootup time when sssd
is not started yet but some daemons already exist and start consulting
user entries. In order to avoid issues I think we should make it
possible for nss_sss to understand whether it can actually trust caches
or not.
One idea is to mark "system" users/groups in the cache, and have nss_sss
ignore them if they are in the cache but it is not possible to connect
to sssd. This should be pretty lightweight as it just tries to connect
to the sssd socket but does not need to make any communication on it
except for the first request and getting a "echo" or "version" packet
(just to check sssd_nss is actually alive).
If connection to sssd_nss fails then nss_sss will not return the system
user and the query will naturally fall back to use nss_files instead.
We may want to use some very strict timeout on the socket for this
specific case, to avoid stalling the boot process, it's not a bid deal,
the process falls back to using nss_files so we are always correct in
any case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
9 years, 9 months
[PATCH] ldap_opts: Get rid on 389ds specific values in rfc2307bis schema
by Lukas Slebodnik
ehlo,
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. OpenLDAP supports the standard entryUUID attribute,
which is basically the same (uniquely identifies an entry throughout
a replication topology), but uses the standard UUID format rather than
the non-standard format used by 389.
4x FIXME removed :-)
Any comments are welcomed.
LS
9 years, 9 months
[PATCH] sudo: use dbus array for rules refresh
by Pavel Březina
https://fedorahosted.org/sssd/ticket/2387
I wrote the code originally with very little understanding of D-Bus and
its quite awful. This is just a hotfix, but I think the code deserves
some nice refactoring.
I'd like to use our new codegen tool and do it for all handlers at once.
I don't see any ticket for refactoring data provider code to use our new
dbus facility, should I create one or did I just miss it?
9 years, 9 months
sss_client: thread safe initialisation of sss_nss_mc_get_ctx
by Lukas Slebodnik
ehlo,
attached patches fix problems with mmap cache in client code.
The 1st patch is at least 5th version, because I found few problems in my
previous versions myself. I hope you will not find anything else :-)
Patches change client code. It will be good to have at least 2 ACKs.
How to test?
You can use simple program form ticket description #2380.
Program call getuid, therefore user should be from sssd and not /etc/passwd.
It needn't crash at first time, but you can use simple for loop
for i in {1..100}; do ./a1; done
You can also use 3th patch to see code flow. e.g.
bash-4.2$ ./a1
more [2] threads try to init mem ctc
init.done
seed or table size do not match
sss_nss_check_header end:Invalid argument
more [3] threads try to init mem ctc
calling munmap
calling close
Segmentation fault (core dumped)
bash-4.2$ ./a1
init.done
more [2] threads try to init mem ctc
more [3] threads try to init mem ctc
seed or table size do not match
sss_nss_check_header end:Invalid argument
seed or table size do not match
seed or table size do not match
calling munmap
calling close
sss_nss_check_header beg:Invalid argument
calling close
init.done
Floating point exception (core dumped)
If you apply 3rd patch you can simulate old version with simple diff
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index 768763f..cea3a78 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -131,7 +131,7 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx)
*/
fprintf(stderr, "more [%d] threads try to init mem ctc\n",
ctx->init_count);
- return EAGAIN;
+ //return EAGAIN;
}
ret = asprintf(&file, "%s/%s", SSS_NSS_MCACHE_DIR, name);
LS
9 years, 9 months