I'd like to continue the discussion of tlog integration, and also present you
the first release of tlog - a development preview, which has the configuration
interface necessary to implement the integration:
You're more than welcome to download RPMs, install, read tlog-rec(8) and
tlog-rec.conf(5), and experiment! Building from the Git tree and the tarball
works as well, if you're so inclined. I'm also attaching those manpages for
Here are the integration plans so far, as discussed with Jakub on our
devconf.cz trip meetings and before on the list. Jakub, please correct me or
* We follow the route similar to that taken by SELinux rule control
implementation . I.e. store the configuration in LDAP HBAC rules,
write to files on the client side and then specify them to tlog upon user
However, I'm also rather fond of the idea of specifying the whole
configuration through an environment variable instead of through a file
referenced by an environment variable - it's not big at all, and we'll avoid
the hassle of managing the files.
I implemented support for both in tlog (was easy).
* We'll have to make nss_sss report user's shell as tlog-rec (how?) and
specify the actual shell to tlog-rec via an environment variable, through
pam_sss (with SSS_PAM_ENV_ITEM messages). I.e.:
* Nss_sss would always report tlog-rec as the user's shell.
* During login (e.g. through "login" or "sshd") pam_sss would add a variable
to the user environment, containing, or pointing at, a tlog-rec
configuration (TLOG_REC_CONF_TEXT or TLOG_REC_CONF_FILE). That
configuration would contain the user's actual shell. I can also implement
support for a separate variable just for the shell (TLOG_REC_SHELL?) to
simplify the implementation for the start.
* Tlog-rec would read the system-wide configuration and overlay it with the
one specified in the environment, adding the specific user shell, and then
would spawn it.
Please also see the draft integration design page  for reference.
I hope to refine and extend it in the coming weeks to match FreeIPA standards.
Please chime in and suggest, object, discuss!
Also, please report tlog bugs at https://github.com/spbnick/tlog/issues
I wanted to split include/debug_levels.xml into more files so we don't
duplicate information, but I didn't figure out how to use xi:include in
files that are already beeing included. I always managed to fail on dtd
validation. Maybe someone more familiar with docbook may chime in.
First patch, see attached.
This is for easy fix from ticket
I am going on the assumption that if the first 2 characters of ad_server
are digits then it is likely an IP address and not hostname. If you have
a better idea for this please let me know.
attached patch should fix ticket #2926
The default case (no adding, no removing services) is tested
If the patch is not ready for stable branch sssd-1-13
then we might merge this case with GPO code which uses slightly
modified way using hash tables.
I'm resending a patch for ticket #2870 on behalf of the original
reporter who also kindly submitted a patch.
The patch looks good to me, as soon as we fix CI, I'll submit it as well
and I think we can push it..
This patchset implements a new responder like service in SSSD called
secrets. It uses the Custodia project API to offer a service where
applications/users can store secrets in a way that makes requests
remotizable and routable with a high degree of configurability (esp, in
conjunction with a Custodia proxy).
Included are also accessory patches to change the monitor and other
aspects of service startup and monitoring necessary to have this new
kind of service which is more independent than the pam/nss based
There is no testsuite for the service yet.
The work is also not complete in that the monitor does not start the
service yet, I have an experimental unit file I am working on but it is
not fully functional and not included yet..
I do not expect all patches to be accepted right away, but they all work
individually (manually tested), but I think it is a good time to start
review and bring in what works, as we are going to spread some of the
remaining work across multiple people.
Simo Sorce * Red Hat, Inc * New York
this patch fixes and issue during initgroups in AD forests. Please see
the commit message for details.
To reproduce this you can create a new user outside of CN=Users on the
forest root. The new user can be created in an existing container or in
a new OU container. Most important is that it is not a child of
CN=Users. In a child domain (it must be a child, domains with a
different base won't trigger the issue) create a user with the same
name. With this setup 'id user(a)forest.root' will not return the complete
list of group the user is a member of and the patch should fix this.
Pavel Březina and I have prepared the 1st draft of design document. We mostly focused on summing up its future functionality and its interface.
Please comment if you miss some essential functionality or if you would prefer some different interface.