[PATCH] nss_check_name_of_well_known_sid() improve name splitting
by Sumit Bose
Hi,
this patch should fix https://fedorahosted.org/sssd/ticket/2717 .
As you can see I added a new entry ipa_ad_default_names to the global
nss context so that the regular expression string is only evaluated
once. Since it is currently only used in
nss_check_name_of_well_known_sid() I do the initialization here to avoid
initialization when it is not needed. If you think this is too risky in
future I'm fine with moving the initialization to the general
initialization of the nss context.
bye,
Sumit
8 years, 2 months
Time-Based Policies in FreeIPA [update]
by Stanislav Laznicka
Hi,
So my concerns about thread-safety of the solution seem to be
exaggerated, that is a good thing. Let me post just a little update of
the work on SSSD side for time policies in FreeIPA (also attaching
curent patches).
Thanks to the guys in the Brno office, we've been able to fix the Python
bindings I prepared some time ago. I have also written some Python tests
for the HbacTimeRules class according to the HbacRuleElement class.
Currently, a time attribute still needs to be added to the HbacRequest
class so that it can be used for HBAC evaluation in Python. I was also
wondering whether HbacTimeRules object should react when a wrong time
policy string is handed to it (e.g. you want to set "2000" as access
time instead of "timeofday=2000"). If such a time rule gets evaluated,
the mistake gets detected anyway.
One thing I was also thinking is that you may want to have the
time-rules language parsed by regular expressions in ipa_timerules.c
module. Currently, this is done by a finite automaton which works just
fine but the code may not be that readable.
Also note that the IPA_TIMEZONE constant was renamed to "ipaTimeZone"
from "timezone" according to the latest changes I made on FreeIPA side,
should you decide to try it and the timezones do not work. I have not
yet published those FreeIPA changes, but other than this, they are
rather codewise-cosmetical.
Cheers,
Standa
8 years, 2 months
[PATCH] Update few debug messages
by Lukas Slebodnik
ehlo,
I noticed the same noise in log files as user in ticker 2678.
It was a little bit related to the latest changes with setting
initgroups flag in the right time.
LS
8 years, 2 months
[PATCH] test common: sss_dp_get_account_recv() fix assignment
by Sumit Bose
Hi,
this patch fixes a simple copy-and-paste issue in the common test code.
Since we currently always call mock_account_recv() with the second and
third argument set to 0 and NULL respectively it doesn't became an issue
earlier.
bye,
Sumit
8 years, 2 months
Announcing SSSD 1.13.0 Alpha
by Jakub Hrozek
=== SSSD 1.13.0 ===
The SSSD team is proud to announce the release of version 1.13.0 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Support for separate prompts when using two-factor authentication was added
* Added support for one-way trusts between an IPA and Active Directory
environment. Please note that this SSSD functionality depends on IPA code
that is not released at the moment.
* The fast memory cache now also supports the initgroups operation.
* The PAM responder is now capable of caching authentication for configurable
period, which might reduce server load in cases where accounts authenticate
very frequently. Please refer to the cached_auth_timeout option in the
sssd.conf manual page.
* The Active Directory provider has changed the default value of the
ad_gpo_access_control option from permissive to enforcing. As a consequence,
the GPO access control now affects all clients that set access_provider to
ad. In order to restore the previous behaviour, set ad_gpo_access_control
to permissive or use a different access_provider type.
* Group Policy objects defined in a different AD domain that the computer
object is defined in are now supported.
* Credential caching and Offline authentication are also available when
using two-factor authentication
* Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
and groups are now exposed as first-class objects. The users and groups
can also be marked as cached and would subsequently show up in the
Introspection output
* The DBus interface is now also able to look up User objects by
certificate. This is a first part of work that will eventually allow
smart-card authentication in SSSD.
* The LDAP cleanup task is now disabled by default, unless enumeration is
enabled. Please refer to the ldap_purge_cache_timeout option in case your
environment requires the cleanup task
* The Python bindings are now built for both Python2 and Python3
* The LDAP bind timeout, StartTLS timeout and password change timeout are
now configurable using the ldap_opt_timeout option
== Packaging Changes ==
* A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa
subpackage. The SSSD stores keytabs for one-way trust relationships in
this directory. Downstreams should make sure that the directory is only
readable to the user who runs the SSSD service.
* Several packaging changes are present in this release to support the
Python3 bindings, notably new python-sss and python-sss-murmur subpackages
are introduced in upstream RPM packaging
* All python bindings now have a Python3 and a Python2 version in the
upstream RPM packaging scheme
* The OpenSSL development library such as openssl-devel on RHEL/Fedora or
Debian/Ubuntu? libssl-dev is now required to support certificate operations
* A new internal library libsss_cert.so is present in this release.
* The fast initgroups memcache is represented by a new file
/var/lib/sss/mc/initgroups
== Documentation Changes ==
* The ad_gpo_access_control option default has changed from permissive
to enforcing
* The default value of ldap_purge_cache_timeout changed to 0, thus
effectivelly disabling the cleanup task.
* A new option cache_credentials_minimal_first_factor_length was added. This
option sets constraints on the password length if One-Time passwords
are used and credentials are to be cached. Please see the sssd.conf(5)
man page for more details
* The cached authentication is controlled by new option
cached_auth_timeout. By default the cached authentication is disabled.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/897
sssd should pass -d to nsupdate when running with high log level
https://fedorahosted.org/sssd/ticket/1501
Make the LDAP bind operation timeout configurable
https://fedorahosted.org/sssd/ticket/2150
[RFE] Expose listing calls over D-BUS
https://fedorahosted.org/sssd/ticket/2224
nsupdate stderr is not captured
https://fedorahosted.org/sssd/ticket/2236
The cleanup task has no DEBUG statements
https://fedorahosted.org/sssd/ticket/2326
SBUS: Flush the UID cache when we receive NameOwnerChanged
https://fedorahosted.org/sssd/ticket/2338
[RFE] Implement object caching on the bus
https://fedorahosted.org/sssd/ticket/2339
IFP: support multiple interfaces for object
https://fedorahosted.org/sssd/ticket/2540
SSSD does not update Dynamic DNS records if the IPA domain differs
from machine hostname's domain
https://fedorahosted.org/sssd/ticket/2569
In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA
user are not able to log unless use_fully_qualified_names is set
https://fedorahosted.org/sssd/ticket/2574
SSSD should be able to build python2 and python3 bindings in a one build
https://fedorahosted.org/sssd/ticket/2583
[RFE] Homedir is always overwritten with subdomain_homedir value in
server mode
https://fedorahosted.org/sssd/ticket/2593
Does sssd-ad use the most suitable attribute for group name?
https://fedorahosted.org/sssd/ticket/2603
Make SSSD's HBAC validation more permissive if deny rules are not used
https://fedorahosted.org/sssd/ticket/2609
[bug] sssd always appends default_domain_suffix when checking for host keys
https://fedorahosted.org/sssd/ticket/2618
Man sssd-ad(5) lists Group Policy Management Editor naming for some
policies but not for all
https://fedorahosted.org/sssd/ticket/2620
id_provider=proxy with auth_provider=ldap does not work reliably
https://fedorahosted.org/sssd/ticket/2625
Sudo responder does not respect filter_users and filter_groups
https://fedorahosted.org/sssd/ticket/2627
Disable the cleanup task by default
https://fedorahosted.org/sssd/ticket/2636
RFE: Fetch keytabs for one-way trusts in IPA subdomain code
https://fedorahosted.org/sssd/ticket/2638
RFE: Change ad_id_ctx instantiation in the IPA subdomain code to
support one-way trusts
https://fedorahosted.org/sssd/ticket/2645
[RFE] Support GPOs from different domain controllers
https://fedorahosted.org/sssd/ticket/2661
RFE: Change AD GPO default to enforcing
https://fedorahosted.org/sssd/ticket/2666
sssd with ldap backend throws error domain log
https://fedorahosted.org/sssd/ticket/1807
[RFE] authenticate against cache in SSSD
https://fedorahosted.org/sssd/ticket/2485
[RFE] The fast memory cache should cache initgroups
https://fedorahosted.org/sssd/ticket/2590
SSSD doesn't re-read resolv.conf if the file doesn't exist during boot
https://fedorahosted.org/sssd/ticket/2641
Add a IS_DEFAULT_VIEW macro
https://fedorahosted.org/sssd/ticket/2701
Kerberos-based providers other than krb5 do not queue requests
== Detailed Changelog ==
Jakub Hrozek (73):
* MAN: Fix a typo
* SYSDB: Reduce code duplication in sysdb_gpo.c
* UTIL: Make two child_common.c functions static
* TESTS: Cover child_common.c with unit tests
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor
* UTIL: Remove child_cleanup
* UTIL: Unify the fd_nonblocking implementation
* RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
* PAM: print the pam status as string, too
* KRB5: More debugging for create_ccache()
* SDAP: Make simple bind timeout configurable
* SDAP: Make password change timeout configurable with ldap_opt_timeout
* SDAP: Make StartTLS bind configurable with ldap_opt_timeout
* SDAP: Decorate the sdap_op functions with DEBUG messages
* IPA: Remove the ipa_hbac_treat_deny_as option
* MAN: Clarify debug_level a bit
* SSH: Ignore the default_domain_suffix
* LDAP: Set sdap handle as explicitly connected in LDAP auth
* tests: Revert strcmp condition
* ncache: Fix sss_ncache_reset_permanent
* ncache: Silence critical error from filter_users when default_domain_suffix is set
* ncache: Add sss_ncache_reset_repopulate_permanent
* responders: reset ncache after domains are discovered during startup
* NSS: Reset negcache after checking domains
* MAN: Clarify how are GPO mappings called in GPO editor
* UTIL: Add a simple function to get the fd of debug_file
* dyndns: Log nsupdate stderr with a high debug level
* nsupdate: Append -d/-D to nsupdate with a high debug level
* subdom: Remove unused function get_flat_name_from_subdomain_name
* nss: Use negcache for getbysid requests
* tests: Add NSS responder tests for bysid requests
* LDAP: disable the cleanup task by default
* TESTS: Use the right testcase
* TESTS: Add test for get_next_domain
* LDAP: Do not print verbose DEBUG messages from providers that don't set UUID
* SYSDB: Store trust direction for subdomains
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
* TESTS: Add a test for sysdb_subdomains.c
* SYSDB: Add realm to sysdb_master_domain_add_info
* SYSDB: Add a forest root attribute to sss_domain_info
* IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
* IPA: Check master domain record before subdomain records
* IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
* IPA: Also update master domain when initializing subdom handler
* IPA: Move server-mode functions to a separate module
* IPA: Split two functions to new module ipa_subdomains_utils.c
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
* IPA: Read forest name for trusted forest roots as well
* IPA: Make constructing an IPA server mode context async
* TESTS: Split off keytab creation into a common module
* TESTS: Add a common mock_be_ctx function
* TESTS: Add a common function to set up sdap_id_ctx
* TESTS: Move krb5_try_kdcip to nested group test
* TESTS: Add unit test for the subdomain_server.c module
* IPA: Fetch keytab for 1way trusts
* AD: Rename ad_set_ad_id_options to ad_set_sdap_options
* AD: Rename ad_create_default_options to ad_create_2way_trust_options
* AD: Split off ad_create_default_options
* IPA/AD: Set up AD domain in ad_create_2way_trust_options
* IPA: Do not set AD_KRB5_REALM twice
* AD: Add ad_create_1way_trust_options
* IPA: Utility function for setting up one-way trust context
* LDAP: Do not set keytab through environment variable
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
* CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
* BUILD: Store keytabs in /var/lib/sss/keytabs
* Updating the translations for the 1.13 Alpha release
* Updating the version.m4 file for the 1.13 Beta release
* tests: Reduce duplication with new function test_ev_done
* KRB5: Add and use krb5_auth_queue_send to queue requests by default
* PAM: Only cache first-factor
* Updating the translations for the 1.13.0 release
* Updating the version for the 1.13.0 release
John Dickerson (1):
* MAN: Amend the description of ignore_group_members
Lukas Slebodnik (67):
* MAN: Remove indentation in element programlistening
* Fix warning: for loop has empty body
* Bump version to track 1.13 development
* SPEC: Use libnl3 for epel6
* MAKE: Don't include autoconf generated file to tarball
* TESTS: Mock return value of sdap_get_generic_recv
* test_nested_groups: Additional unit tests
* Fix warning: equality comparison with extraneous parentheses
* LDAP: Conditional jump depends on uninitialised value
* BUILD: Remove unused libraries for pysss.so
* BUILD: Remove unused variables
* BUILD: Remove detection of type Py_ssize_t
* UTIL: Remove python wrapper sss_python_set_new
* UTIL: Remove python wrapper sss_python_set_add
* UTIL: Remove python wrapper sss_python_set_check
* UTIL: Remove compatibility macro PyModule_AddIntMacro
* UTIL: Remove python wrapper sss_python_unicode_from_string
* BUILD: Use python-config for detection *FLAGS
* SPEC: Use new convention for python packages
* SPEC: Move python bindings to separate packages
* BUILD: Add possibility to build python{2,3} bindings
* TESTS: Run python tests with all supported python versions
* SPEC: Replace python_ macros with python2_
* SPEC: Build python3 bindings on available platforms
* BUILD: Uninstall also symbolic links to python bindings
* Remove unused argument from be_nsupdate_create_fwd_msg
* IPA: Remove unused argument from ipa_id_get_group_uuids
* Remove useless assignment to function parameter
* PAC: Fix memory leak
* responder_cache: Fix warning may be used uninitialized
* debug-tests: Fix test with new line in debug message
* BUILD: Add missing header file to tarball
* pam_client: fix casting to const pointer
* test_expire: Use right assertion macro for standard functions
* test_ldap_auth: Use right assertion for integer comparison
* test_resolv_fake: Fix alignment warning
* PAC: Remove unused function
* KRB5: Unify prototype and definition
* util-tests: Initialize boolean variable to default value
* SPEC: Drop workaround for old libtool
* SPEC: Drop workarounds for old rpmbuild
* SPEC: Remove unused option
* SPEC: Few cosmetic changes
* simple_access-tests: Simplify assertion
* sysdb-tests: Add missing assertions
* sysdb-tests: test return value before output arguments
* ad_opts: Use different default attribute for group name
* BUILD: Write hints about optional python bindings
* sss_client: Fix mixed enums
* LDAP: Remove dead assignment
* sss_client: Fix warning "_" redefined
* SSSDConfigTest: Use unique temporary directory
* util-tests: Add validation of internal error messages
* SDAP: Check return value before using output arguments
* SDAP: Log failure from sysdb_handle_original_uuid
* test_ipa_subdomains_server: Run clean-up after success
* IFP: Fix warnings with enabled optimisation
* SDAP: Remove user from cache for missing user in LDAP
* test_ipa_subdom_server: Add missing assert
* test_ipa_subdomains_server: Fix build with --coverage
* nss: Store entries in responder to initgr mmap cache
* mmap_cache: Invalidate entry in right memory cache
* nss: Invalidate entry in initgr mmap cache
* sss_client: Use initgr mmap cache in client code
* sss_cache: Clear also initgroups fast cache
* sss_client: Use unique lock for memory cache
* sss_client: Re-check memcache after acquiring the lock
Michal Zidek (5):
* Use FQDN if default domain was set
* MAN: default_domain_suffix with use_fully_qualified_names.
* views: Add is_default_view helper function
* MONITOR: Poll for resolv.conf if not available during boot
* MONITOR: Do not report missing file as fatal in monitor_config_file
Nikolai Kondrashov (3):
* BUILD: Add AM_PYTHON2_MODULE macro
* Add integration tests
* BUILD: Fix variable substitution in cwrap.m4
Pavel Březina (53):
* tests: refactor create_dom_test_ctx()
* tests: add create_multidom_test_ctx()
* tests: add test_multidom_suite_cleanup()
* tests: remove code duplication in single domain cleanup
* responders: new interface for cache request
* responders: enable views in cache request
* IFP: use new cache interface
* server-tests: use strtouint32 instead strtol
* sbus: add new iface via sbus_conn_register_iface()
* sbus: move iface and object path code to separate file
* sbus: use 'path/*' to represent a D-Bus fallback
* sbus: support multiple interfaces on single path
* sbus: add object path to sbus request
* sbus: add sbus_opath_hash_lookup_supported()
* sbus: support org.freedesktop.DBus.Introspectable
* sbus: support org.freedesktop.DBus.Properties
* sbus: unify naming of handler data variable
* sbus: move common opath functions from ifp to sbus code
* sbus: add sbus_opath_get_object_name()
* ifp: fix potential memory leak in check_and_get_component_from_path()
* sbus: use hard coded getters instead of generated
* sbus: remove unused 'reply as' functions
* IFP: move interface definitions from ifpsrv.c into separate file
* IFP: unify generated interfaces names
* sbus codegen: do not prefix getters with iface name
* IFP: simplify object path constant names
* sbus: add constant to represent subtree
* be_refresh: get rid of callback pointers
* sysdb: use sysdb_user/group_dn
* cache_req tests: rename test_user to test_user_by_name
* cache_req tests: define user name constant
* cache_req: preparations for different input type
* cache_req: add support for user by uid
* cache_req: add support for group by name
* cache_req: remove default branch from switches
* cache_req: add support for group by id
* cmocka: include mock_parse_inp in header file
* cache_req: parse input name if needed
* cache_req: return ERR_INTERNAL if more than one entry is found
* sbus: provide custom error names
* sbus: add sbus_opath_decompose[_exact]
* sbus: add a{sas} get invoker
* IFP: add org.freedesktop.sssd.infopipe.Users
* IFP: add org.freedesktop.sssd.infopipe.Users.User
* IFP: add org.freedesktop.sssd.infopipe.Groups
* IFP: add org.freedesktop.sssd.infopipe.Groups.Group
* IFP: deprecate GetUserAttr?
* IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
* SBUS: Use default GetAll? invoker if none is set
* SBUS: Add support for <node /> in introspection
* IFP: Export nodes
* sbus: add support for incoming signals
* sbus: listen to NameOwnerChanged?
Pavel Reichl (20):
* add missing '\n' in debug messages
* PROXY: add missing space in debug message
* BUILD: fix chmake not to generate warning
* SDAP: log expired accounts at lower severity level
* KRB5: add debug hint
* TESTS: test expiration
* ldap: refactor check_pwexpire_kerberos to use util func
* ldap: refactor nds_check_expired to use util func
* Fix a few typos in comments
* sbus: sbus_opath_hash_add_iface free tmp talloc ctx
* krb5: remove field run_as_user
* localauth plugin: fix coverity warning
* dyndns: remove dupl declaration of ipa_dyndns_update
* dyndns: don't pass zone directive to nsupdate
* dyndns: ipa_dyndns.h missed declaration of used data
* krb: remove duplicit decl. of write_krb5info_file
* IPA: Don't override homedir with subdomain_homedir
* sysdb: new attribute lastOnlineAuthWithCurrentToken
* PAM: authenticate agains cache
* Minor code improvements
Stephen Gallagher (5):
* LDAP: Support returning referral information
* AD GPO: Support processing referrals
* AD GPO: Change default to "enforcing"
* Add Vagrant configuration for SSSD
* GPO: Fix incorrect strerror on GPO access denial
Sumit Bose (22):
* Add leak check and command line option to test_authtok
* utils: add sss_authtok_[gs]et_2fa
* pam: handle 2FA authentication token in the responder
* Add pre-auth request
* krb5-child: add preauth and split 2fa token support
* IPA: create preauth indicator file at startup
* pam_sss: add pre-auth and 2fa support
* Add cache_credentials_minimal_first_factor_length config option
* sysdb: add sysdb_cache_password_ex()
* krb5: save hash of the first authentication factor to the cache
* krb5: try delayed online authentication only for single factor auth
* 2FA offline auth
* pam_sss: move message encoding into separate file
* PAM: add PAM responder unit test
* adding ldap_user_auth_type where missing
* LDAP: add ldap_user_certificate option
* certs: add PEM/DER conversion utilities
* sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
* LDAP/IPA: add user lookup by certificate
* ncache: add calls for certificate based searches
* utils: add get_last_x_chars()
* IFP: add FindByCertificate? method for User objects
8 years, 2 months
[PATCHES] PAM: authenticate agains cache
by Pavel Reichl
Hello,
please see first version of these patches. I'm currently working on unit
test for the second patch which will be part of the second revision of
the patch set.
Thanks!
8 years, 2 months
[PATCH] Chain authentication requests in all Kerberos-based providers
by Jakub Hrozek
Hi,
the attached patches fix https://fedorahosted.org/sssd/ticket/2701
The first patch just adds a common function instead of copying the same
pattern again to the new test.
The second adds a new request krb5_auth_queue_send() that wraps
krb5_auth_send() and also uses the Kerberos authentication queue. I hope
the unit tests cover a lot of use-cases, if not, please suggest more!
btw I was thinking that the chaining might not always be necessary if
the ccache is of type MEMORY and I hope that the serializaton wouldn't
be perceived as performance regression for users. Shall we say that
Pavel's cached auth patches are a more systematic solution that doesn't
rely on properties of the ccache type in that case?
8 years, 2 months
