sssd-devel January 2016

sssd-devel@lists.fedorahosted.org

14 participants
74 discussions

[PATCHES] Support IPA sudo schema
by Pavel Březina 19 Jan '16

19 Jan '16

Hello list, the support of IPA sudo schema is almost complete. The only thing that remains is to finish smart refresh implementation and one patch to reduce code duplication between LDAP and IPA implementation. Then I need to run some tests but I don't expect much troubles here since I tested it a lot during development. I'll finish all of this after my Christmas vacation. The patches are probably too big to be sent as an attachment, so until I complete the last two patches, you can check it on my git repo, branch sudo [1]. I don't really expect anyone to review them during Christmas break, but I thought it's a good thing to present if in case someone will get really bored from all the candies and family visits :-) Happy reviewing. [1] https://fedorapeople.org/cgit/pbrezina/public_git/sssd.git/log/?h=sudo

4 28

[PATCH] NSS: Refresh also netgroup cache if needed
by Michal Židek 19 Jan '16

19 Jan '16

Hi! see attached simple patch for ticket: https://fedorahosted.org/sssd/ticket/2912 The first patch is for master and 1.13 the second for 1.12. It seems like the decision to ignore cache validity when background refresh is enabled was not a good one and it was not possible to fetch new netgroup entry even if the old was invalidated with sss_cache. Michal

2 4

[PATCH] Make responder connectin code more generic
by Simo Sorce 18 Jan '16

18 Jan '16

The following 2 patches change the connection setup code to be more flexible. They are the groundwork to add a new secrets[1] responder that uses a REST API over a unix socket and therefore requires a different protocol handler. The first patch move some protocol and state data into opaque pointers so that responders can arbitrarily set them. Ticket: https://fedorahosted.org/sssd/ticket/2918 The second patch adds the ability to use socket activation for responders. Although this is not currently wired in for use in currently. It is related to: https://fedorahosted.org/sssd/ticket/2243 These patches are being worked on on my secsrv branch here: https://fedorapeople.org/cgit/simo/public_git/sssd.git/log/?h=secsrv [1] https://fedorahosted.org/sssd/wiki/DesignDocs/SecretsService -- Simo Sorce * Red Hat, Inc * New York

2 3

SSSD: User found in AD but authentication fails
by mferon 18 Jan '16

18 Jan '16

Hello all. I'm trying to setup a ldap against AD authentication. I've installed SSSD 1.12.4 OS: Red Hat Enterprise Linux Server release 6.2 (Santiago) In the logs, my search brings back the user but the final result fails in not found. for testing I use 'id WXYZ123' A ldapsearch works fine. I've tried to set ldap_id_mapping = false to true but the request is completed with a ((null=*)) AND condition => so it fails each time I've already spent 5 days and getting crazy. I've googled a lot but don't found any answer, except the https://fedorahosted.org/sssd/ticket/2666 ticket. A great thanks to any help you could bring to me Happy new year! PS: I'm french and didn't practice english writing for a long time, sorry :) ) (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_print_server] (0x2000): Searching XXX.XXX.XXX.XXX (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(& (sAMAccountName=WXYZ123)(objectclass=user)(sAMAccountName=*)(& (objectSid=*)(!(objectSid=0))))] [OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr]. (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSid] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] [...] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3 (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do. (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90], ldap[0x10d51d0] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90], ldap[0x10d51d0] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=FERON Matthieu,OU=Utilisateurs,OU=MainOU,OU=RessLocales,DC=corp,DC=log,DC=intr a,DC=mydomain,DC=fr]. (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90], ldap[0x10d51d0] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. Great, I found myself! (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user] (0x0400): Save user (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0] [Success] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user] (0x4000): objectSID: not available for user (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_primary_name] (0x0400): Processing object XORC529 (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user] (0x0400): Processing user XORC529 (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_users_done] (0x4000): Saving 1 Users - Done (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: sh[0x10d8800], connected[1], ops[(nil)], ldap[0x10d51d0] (Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! Whu ?? (Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_dispatch] (0x4000): dbus conn: 0x10c2670 (Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] Here is my sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = mydomain.fr [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/mydomain.fr] debug_level = 0x7700 cache_credentials = False id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_uri = ldap://XXX.XXX.XXX.XXX ldap_id_mapping = false ldap_schema = rfc2307bis ldap_referrals = False ldap_search_base = OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr ldap_user_search_base = OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr ldap_user_object_class = user ldap_group_search_base = OU=Users,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_user_uid_number = objectSid ldap_user_gid_number = objectGUID ldap_user_home_directory = unixHomeDirectory ldap_user_member_of = memberOf ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = True ldap_id_use_start_tls = False ldap_user_member_of = memberOf ldap_default_bind_dn = CN=AllowedToBindUSer,OU=Services,OU=OtherOU,OU=Applications,DC=corp,DC=l og,DC=intra,DC=mydomain,DC=fr ldap_default_authtok_type = password ldap_default_authtok = MySecretPassword ldap_tls_cacertdir = /etc/openldap/cacerts My krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.FR dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MYDOMAIN.FR = { kdc = XXX.XXX.XXX.XXX admin_server = XXX.XXX.XXX.XXX } [domain_realm] .mydomain.fr = MYDOMAIN.FR mydomain.fr = MYDOMAIN.FR

1 0

[PATCH] SPEC: Fix unowned directories
by Lukas Slebodnik 15 Jan '16

15 Jan '16

ehlo, patch should fix fedora bug 1266940 LS

2 9

[PATCHES] Replace monitor pings with in process watchdog
by Simo Sorce 15 Jan '16

15 Jan '16

The attached patches implement a service watchdog based on timers and a custom SIGRT signal (of which there are 30/32 available to use) and removes the ping based solution. In case a child gets stuck in a tevent loop the timer will eventually kill it (in 30 sec. by default) and the monitor will catch the child has terminated (via SGICHLD) and restart it. This makes the ping based infrastructure obsolet so the monitor now stops setting it up. In order to avoid changes to the dbus interface the ping method is still in places for responders/providers, but simply never invoked. Resolves: https://fedorahosted.org/sssd/ticket/2921 -- Simo Sorce * Red Hat, Inc * New York

3 2

[PATCH] SDAP: do not fail if refs are found but not processed
by Pavel Březina 15 Jan '16

15 Jan '16

https://fedorahosted.org/sssd/ticket/2906 Hi, I'm CCing Stephen as he is original author of the code. Without this patch I am not able to work with AD when ldap_referrals=true, with this patch it works. I'm not sure though if it is a correct fix or if we can find a better one. As the removed comment says the referrals should be processed by openldap so why aren't they?

3 4

[PATCH] KRB5: Adding DNS SRV lookup for krb5 provider
by Petr Cech 14 Jan '16

14 Jan '16

Hi, there is a patch for [1] attached. Regards -- Petr^4 Cech [1] https://fedorahosted.org/sssd/ticket/2888

3 5

[PATCH] SDAP: handle ret properly in ldap_get_options()
by Pavel Březina 14 Jan '16

14 Jan '16

Just found this when working on other stuff...

2 2

[PATCH] SPEC: Move libsss_sudo.so outside sssd-common
by Lukas Slebodnik 14 Jan '16

14 Jan '16

ehlo, This change is required to reduce dependency tree in client container (or on atomic host, ...) Patch is attached. LS

3 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2016