I'd like to continue the discussion of tlog integration, and also present you
the first release of tlog - a development preview, which has the configuration
interface necessary to implement the integration:
You're more than welcome to download RPMs, install, read tlog-rec(8) and
tlog-rec.conf(5), and experiment! Building from the Git tree and the tarball
works as well, if you're so inclined. I'm also attaching those manpages for
Here are the integration plans so far, as discussed with Jakub on our
devconf.cz trip meetings and before on the list. Jakub, please correct me or
* We follow the route similar to that taken by SELinux rule control
implementation . I.e. store the configuration in LDAP HBAC rules,
write to files on the client side and then specify them to tlog upon user
However, I'm also rather fond of the idea of specifying the whole
configuration through an environment variable instead of through a file
referenced by an environment variable - it's not big at all, and we'll avoid
the hassle of managing the files.
I implemented support for both in tlog (was easy).
* We'll have to make nss_sss report user's shell as tlog-rec (how?) and
specify the actual shell to tlog-rec via an environment variable, through
pam_sss (with SSS_PAM_ENV_ITEM messages). I.e.:
* Nss_sss would always report tlog-rec as the user's shell.
* During login (e.g. through "login" or "sshd") pam_sss would add a variable
to the user environment, containing, or pointing at, a tlog-rec
configuration (TLOG_REC_CONF_TEXT or TLOG_REC_CONF_FILE). That
configuration would contain the user's actual shell. I can also implement
support for a separate variable just for the shell (TLOG_REC_SHELL?) to
simplify the implementation for the start.
* Tlog-rec would read the system-wide configuration and overlay it with the
one specified in the environment, adding the specific user shell, and then
would spawn it.
Please also see the draft integration design page  for reference.
I hope to refine and extend it in the coming weeks to match FreeIPA standards.
Please chime in and suggest, object, discuss!
Also, please report tlog bugs at https://github.com/spbnick/tlog/issues
I wanted to split include/debug_levels.xml into more files so we don't
duplicate information, but I didn't figure out how to use xi:include in
files that are already beeing included. I always managed to fail on dtd
validation. Maybe someone more familiar with docbook may chime in.
First patch, see attached.
This is for easy fix from ticket
I am going on the assumption that if the first 2 characters of ad_server
are digits then it is likely an IP address and not hostname. If you have
a better idea for this please let me know.
attached patch should fix ticket #2926
The default case (no adding, no removing services) is tested
If the patch is not ready for stable branch sssd-1-13
then we might merge this case with GPO code which uses slightly
modified way using hash tables.
I'm resending a patch for ticket #2870 on behalf of the original
reporter who also kindly submitted a patch.
The patch looks good to me, as soon as we fix CI, I'll submit it as well
and I think we can push it..
this patch fixes and issue during initgroups in AD forests. Please see
the commit message for details.
To reproduce this you can create a new user outside of CN=Users on the
forest root. The new user can be created in an existing container or in
a new OU container. Most important is that it is not a child of
CN=Users. In a child domain (it must be a child, domains with a
different base won't trigger the issue) create a user with the same
name. With this setup 'id user(a)forest.root' will not return the complete
list of group the user is a member of and the patch should fix this.
On 11/23/2015 04:32 PM, Petr Spacek wrote:
> On 23.11.2015 13:53, Pavel Reichl wrote:
>> On 11/20/2015 05:35 PM, Jakub Hrozek wrote:
>>> On Fri, Nov 20, 2015 at 03:57:04PM +0100, Pavel Reichl wrote:
>>>> please see attached patch.
>>> Could you ask Petr Spacek to do a conceptual review? Somebody else (me
>>> of noone else is interested) can then do the code-review but I don't
>>> think our team has as good experience in handling nsupdate details..
>> Hello Petr, could you do the conceptual review as Jakub wishes?
>> I hope it should not be too hard as what we change in the patches is
>> generation of a textual message for nsupdate and it's tested I dare to say
> Sure, just send me a link :-) I do not see it the message above.
Sure, hope the link will work for you:
I'm working on pam_sss.so tests and I ran into a problem that I don't
know how to solve best.
tl;dr, I would like to set different environment variables for different
tests in order to set up cwrap libraries differently per-test.
I can't use setenv() in the test itself, because that's too late, I need
the variables to be set when __attribute__(constructor) is run, so normally
at program startup, when the libraries are loaded.
With cmake it's easy, use set(TEST_ENVIRONMENT). But with autotools, I
only found two ways:
- TESTS_ENVIRONMENT - this is fine, but it's per Makefile.am. So I
would have to split the tests more, into pam_wrapper tests that also
require uid_wrapper, tests that only require pam_wrapper, ...
- LOG_COMPILER - this allows to run a wrapper script before a test
that receives the test name as argv. So this is pretty much what I
want except this is a feature new to automake 1.12, which would
rule out both RHEL-6 and Ubuntu Trusty (which is used by Travis)
So I'm really leaning towards creating a src/tests/cwrap/pwrap/Makefile.am
and src/tests/cwrap/pwrap_root/Makefile.am. The downside of multiple
Makefile.am files is that there is some code duplication and the build
takes longer. But I still think there is enough interest (from us and from
our users) to support git master on old platforms. I can file a ticket to
remove this and use LOG_COMPILER when we drop support for RHEL-6 and old
If you disagree, please reply, otherwise I'm going to send a patch with
42% code coverage, up from 0% last week. Woo!
please see attached patch set which contains some refactoring which is
in my opinion quite safe. It doesn't touch the recursive call of
pam_reply() as I think that changing that would be more risky change.