sssd-devel February 2016

sssd-devel@lists.fedorahosted.org

19 participants
75 discussions

Start a nNew thread

[sssd-1-13] [PATCH] UTIL: Backport error code ERR_ACCOUNT_LOCKED
by Lukas Slebodnik 18 Feb '16

18 Feb '16

ehlo, Attached patch fixes failures in 1.13 branch http://sssd-ci.duckdns.org/logs/job/37/45/summary.html LS

2 2

[PATCH] PAM: Notify user of denial due to AD account lockout
by Pavel Reichl 17 Feb '16

17 Feb '16

Hello, please see attached patch. To test connect to AD using ldap provider (for both id and auth). Lock account of AD user by entering invalid password repeatedly. In pam section of sssd.conf set pam_account_locked_message option. After failing to su as locked user you should see message containing this information. Thanks!

7 51

Announcing SSSD 1.11.8
by Jakub Hrozek 17 Feb '16

17 Feb '16

=== SSSD 1.11.8 === The SSSD team is proud to announce the release of version 1.11.8 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release focuses on backporting bug fixes from the 1.12 and 1.13 releases. At the moment, the SSSD upstream does not plan on releasing 1.11.9, barring security issues or regressions in this release. We recommend that all users of 1.11 upgrade to 1.12 or 1.13. * Several bugs related to using id_provider=ldap together with ID mapping enabled were fixed * Fixed a potential use-after-free error in the nested groups resolution code * The service restart code in the main "sssd" process was improved * The PAC responder can be built with MIT Kerberos versions 1.13 and 1.14 * A potential segfault in the memberof ldb plugin was fixed * The LDAP child no longer leaves a stray temporary file behind in case acquiring the credentials fails * The sudo responder works correctly even for users or groups whose name contains an LDAP special character such as ) * The autofs responder now works even with setups that enable the default_domain_suffix option * A memory leak in the NSS responder when a non-existing netgroup was requested is fixed in this release * The SSSD no longer leaks a file descriptor if service discovery times out when discovering an LDAP server * The sudo responder fixed the logic to sort entries with the sudoOrder attribute to match the sudo's native LDAP code == Documentation Changes == * The ldap_use_tokengroups option defaults to false in the generic LDAP provider. Previously, both the AD and LDAP provider (with ldap_schema set to ad) attempted to use the tokenGroups, resulting in numerous bugs. == Tickets Fixed == * https://fedorahosted.org/sssd/ticket/2412 Error processing universal groups with cross-domain membership in SSSD server mode * https://fedorahosted.org/sssd/ticket/2471 RHEL6.6 sssd (1.11) fails if IPA permissions and roles have the same name * https://fedorahosted.org/sssd/ticket/2484 Password change over ssh doesn't work with OTP and FreeIPA * https://fedorahosted.org/sssd/ticket/2448 MAN: If ldap_group_base is set, tokengroups might not be able to convert all GIDs to names * https://fedorahosted.org/sssd/ticket/2445 Race condition while invalidating memory cache in client code * https://fedorahosted.org/sssd/ticket/2492 Group membership gets lost in IPA server mode * https://fedorahosted.org/sssd/ticket/2573 Use after free in proxy provider. * https://fedorahosted.org/sssd/ticket/2611 sssd_be dumping core if enumeration times out * https://fedorahosted.org/sssd/ticket/2525 Monitor SIGKILL timer issue and service restart failure * https://fedorahosted.org/sssd/ticket/2572 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT * https://fedorahosted.org/sssd/ticket/2430 sssd segfaults repeatedly with error 4 in memberof.so * https://fedorahosted.org/sssd/ticket/1096 Clock skew in krb5 auth should result in offline operation, not failure * https://fedorahosted.org/sssd/ticket/2592 ccname_file_dummy is not unlinked on error * https://fedorahosted.org/sssd/ticket/2613 sysdb sudo search doesn't escape special characters * https://fedorahosted.org/sssd/ticket/2625 Sudo responder does not respect filter_users and filter_groups * https://fedorahosted.org/sssd/ticket/2643 autofs provider fails when default_domain_suffix and use_fully_qualified_names set * https://fedorahosted.org/sssd/ticket/2634 sssd nss responder gets wrong number of secondary groups * https://fedorahosted.org/sssd/ticket/2644 ignore_group_members doesn't work for subdomains * https://fedorahosted.org/sssd/ticket/2659 IPA enumeration provider crashes * https://fedorahosted.org/sssd/ticket/2663 id lookup for non-root domain users doesn't return all groups on first attempt * https://fedorahosted.org/sssd/ticket/2681 SSSD cache is not updated after user is deleted from ldap server * https://fedorahosted.org/sssd/ticket/2744 cleanup_groups should sanitize dn of groups * https://fedorahosted.org/sssd/ticket/2800 Relax POSIX check * https://fedorahosted.org/sssd/ticket/2803 Memory leak / possible DoS with krb auth. * https://fedorahosted.org/sssd/ticket/2792 SSSD is not closing sockets properly * https://fedorahosted.org/sssd/ticket/2888 SRV lookups with id_provider=proxy and auth_provider=krb5 * https://fedorahosted.org/sssd/ticket/2865 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups * https://fedorahosted.org/sssd/ticket/2682 sudoOrder not honored as expected == Detailed Changelog == Adam Tkac (1): * Option filter_users had no effect for retrieving sudo rules Aron Parsons (1): * autofs: fix 'Cannot allocate memory' with FQDNs Dan Lavu (1): * MAN: page edit for ldap_use_tokengroups Daniel Hjorth (1): * LDAP: unlink ccname_file_dummy if there is an error Jakub Hrozek (8): * Updating the version for the 1.11.8 development * IPA: Use GC for group lookups in server mode * LDAP: Do not clobber return value when multiple controls are returned * PAC: krb5_pac_verify failures should not be fatal * LDAP: return after tevent_req_error * KRB5: Go offline in case of clock skew * Download complete groups if ignore_group_members is set with tokengroups * DP: Set extra_value to NULL for enum requests Jan Engelhardt (1): * build: call AC_BUILD_AUX_DIR before anything else Lukas Slebodnik (16): * Revert "LDAP: Change defaults for ldap_user/group_objectsid" * LDAP: Disable token groups by default * sss_client: Extract destroying of mmap cache to function * sss_client: Fix race condition in memory cache * PROXY: Fix use after free * pysss_nss_idmap: Use wrapper for older python * MONITOR: Fix double free * TEST: Test empty results from functions sysdb_search_* * SDAP: Do not set gid 0 twice * nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE * SDAP: Set initgroups expire attribute at the end * SDAP: Remove user from cache for missing user in LDAP * LDAP: Sanitize group dn before using in filter * LDAP: Fix leak of file descriptors * BUILD: Accept krb5 1.14 for building the PAC plugin * BUILD: Fix linking issues on debian Michal Zidek (1): * LDAP: Change defaults for ldap_user/group_objectsid Nalin Dahyabhai (1): * Accept krb5 1.13 for building the PAC plugin Nikolai Kondrashov (1): * build: Don't install ad and ipa man pages unnecessarily Pavel Březina (4): * IPA: use ipaUserGroup object class for groups * enumeration: fix talloc context * sudo: sanitize filter values * sudo: use "higher value wins" when ordering rules Pavel Reichl (14): * LDAP: retain external members * SDAP: return after tevent_req_error * sudo: return after tevent_req_error * monitor: use-after-free bugfix * monitor: monitor_kill_service - refactor * monitor: memory-leak bug * SYSDB: sysdb_search_entry fix memory leak * SYSDB: sysdb_search_custom fix memory leak * TESTS: sysdb_search_return_ENOENT - check mem leaks * SDAP: Relax POSIX check * NSS: sysdb_getnetgr check return value first * NSS: sysdb_getnetgr refactor * NSS: fix memory leak in sysdb_getnetgr * NSS: Fix memory leak netgroup Petr Cech (1): * KRB5: Adding DNS SRV lookup for krb5 provider Simo Sorce (1): * Signals: Remove unused functions Stephen Gallagher (2): * monitor: Service restart fixes * UTIL: Do not change SSSD domains in get_domains_head Sumit Bose (2): * memberof: check for empty arrays to avoid segfaults * ldap: use proper sysdb name in groups_by_user_done() Thomas Oulevey (1): * Fix memory leak in sssdpac_verify()

1 0

[PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
by Lukas Slebodnik 16 Feb '16

16 Feb '16

ehlo, attached simple patch is a result of "Fedora end of life" message for related Fedora ticket. If you have an idea about better names I will be glad to change them. BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet LS

3 7

I would like to add two more sections to the design page template
by Jakub Hrozek 16 Feb '16

16 Feb '16

see subject, I would like to add: - how to debug: - summarize what to look for if the feature does not work. It's fine to say something like 'follow generic sssd debugging procedure' but we should think about debug messages and the debugging process when we design a new feature. Remember, this will save us time later :-) - dependencies: - list changes that are required in other packages for this feature to work. This would mostly be interesting for downstreams who would know that they need to upgrade the dependecy as well. Is everyone OK with that?

3 3

[PATCH] sudo: use "higher value wins" when ordering rules
by Pavel Březina 16 Feb '16

16 Feb '16

https://fedorahosted.org/sssd/ticket/2682 I think this option should stay undocumented since we want the users to use the correct sorting logic.

3 8

[PATCH] NSS: Fix memory leak netgroup
by Pavel Reichl 16 Feb '16

16 Feb '16

Hello, attached patch proposes solution for leaking memory when non-existing netgroup is looked up. 1st patch is just for testing - just call 'pkill -SIGUSR1 sssd_nss' and talloc report will be generated in /tmp/sssd_nss_talloc_report_full. For details about the bug please see commit message in 2nd patch. User who reported the bug confirmed that so far it seems that memory leak has been fixed and he didn't report any side effects. Thanks!

3 24

RFC: 1.11.8 release notes
by Jakub Hrozek 16 Feb '16

16 Feb '16

Hi, I prepared the release notes for the 1.11.8 release here: https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.8 Please comment or edit..

1 0

[PATCH] IDMAP: Add test to validate off by one bug
by Pavel Reichl 15 Feb '16

15 Feb '16

Hello, please see simple test adding test for https://fedorahosted.org/sssd/ticket/2922. Sumit proposed to test if mapping of UNIX MAX_ID + 1 fails to be mapped to SID. Without patch for #2922 test fails otherwise test passes. Thanks.

5 30

[PATCHES] BUILD: Speed up build of some tests
by Lukas Slebodnik 15 Feb '16

15 Feb '16

ehlo, Attached patches reduce count of compiled ".c" files from 935 -> 815 (almost 9%). This reduction is achieved in deduplication of compiling "*.c" files in tests. BTW the tests were compiled 4 times in our CI script. * make tests * mock build * make distcheck * code coverage The result saving will not be 9% of time due to parallel build but it still worth. (and Makefile.am is simpler) LS

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel February 2016