[PATCH SET} A new Secrets service
by Simo Sorce
This patchset implements a new responder like service in SSSD called
secrets. It uses the Custodia project API to offer a service where
applications/users can store secrets in a way that makes requests
remotizable and routable with a high degree of configurability (esp, in
conjunction with a Custodia proxy).
Included are also accessory patches to change the monitor and other
aspects of service startup and monitoring necessary to have this new
kind of service which is more independent than the pam/nss based
services.
There is no testsuite for the service yet.
The work is also not complete in that the monitor does not start the
service yet, I have an experimental unit file I am working on but it is
not fully functional and not included yet..
I do not expect all patches to be accepted right away, but they all work
individually (manually tested), but I think it is a good time to start
review and bring in what works, as we are going to spread some of the
remaining work across multiple people.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
7 years, 10 months
[PATCHES] gpo and ding libs
by Michal Židek
Hello!
See patches in attachment that
are part of solution for
https://fedorahosted.org/sssd/ticket/2751
There are few ding libs patches. The
first is unrelated, but I just added
some missing trace info.
The second is a patch for new parser
flag that Dmitri wrote in discussion
for ticket
https://fedorahosted.org/sssd/ticket/2986
I modified the patch a little so I can
not ack it (the check was necessary on one
more place, so I added it there).
The third ding libs patch ads unit test
for the new flag. I decided to add a new
check based test rather than adding
the test to ini_parse_ut.c. So it is
the only test in the suite for now.
There is also a patch for SSSD attached
that can take advantage of this flag
to solve GPO issues once the new version
of ding libs is released.
Michal
7 years, 10 months
[PATCH] sdap: improve filtering of multiple results in GC lookups
by Sumit Bose
Hi,
this patch fixes and issue during initgroups in AD forests. Please see
the commit message for details.
To reproduce this you can create a new user outside of CN=Users on the
forest root. The new user can be created in an existing container or in
a new OU container. Most important is that it is not a child of
CN=Users. In a child domain (it must be a child, domains with a
different base won't trigger the issue) create a user with the same
name. With this setup 'id user(a)forest.root' will not return the complete
list of group the user is a member of and the patch should fix this.
bye,
Sumit
7 years, 10 months
[PATCH] AD: use krb5_keytab for subdomain initialization
by Sumit Bose
Hi,
this is a bit of a follow-up patch to "subdomains: inherit
ldap_krb5_keytab". It turned out that if the default keytab contains
some completely unrelated keys the SASL initialization might e.g. pick a
wrong realm name because the alternative keytab was only added later
during the initialization.
bye,
Sumit
7 years, 10 months
[PATCHES] Support starting SSSD from a default configuration
by Stephen Gallagher
These patches provide support for shipping a default configuration file that the
monitor will automatically copy to /etc/sssd/sssd.conf if none already exists.
The idea is for distributions to be able to provide a default (and resettable)
configuration for out-of-the-box behavior.
I considered writing the patch to check /etc/sssd and then check /usr/lib*/sssd
in turn, but I realized that this would be too complicated with the infopipe
interactions (which would need to be updated to do a copy-on-write the first
time they changed something). It was simpler to just always create the /etc
version and use that.
Patch 0001: Create a secure copy function that can be used to duplicate the
default configuration
Patch 0002: Cosmetic patch; changes the name of an internal macro variable to
make it clear that it's the active configuration file, not the default one.
Patch 0003: Add the logic to confdb_setup.c to copy over the default
configuration if and only if our attempt to load the configuration came up with
ERR_MISSING_CONF. It will then try to load it again and proceed or fail from there.
The default configuration provided here is to load the SSSD with a single proxy
provider that reads from nss_files (and supports authentication through
pam_unix). This does not have to be shipped with any downstream package; the
idea is that downstreams would be expected to modify this configuration to their
own needs. This would need to be called out in the release announcement for
whatever version of SSSD incorporates this change.
These patches will require a change to the SELinux policy, since the monitor
needs to be able to write to the /etc/sssd directory.
type=AVC msg=audit(1461088081.353:550): avc: denied { write } for pid=3721
comm="sssd" name="sssd" dev="dm-0" ino=4600013
scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0
tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
7 years, 10 months
[PATCH] PAM: Export original user shell to tlog-rec
by Nikolai Kondrashov
Hi everyone,
The attached patch adds exporting of the original (non-overridden) user shell
to tlog-rec, during the PAM session opening. The shell is exported via adding
variable "TLOG_REC_SHELL" to the user's environment.
This is supposed to be used within the preliminary session recording solution,
which employs tlog [1]. The administrators are supposed to setup session
recording with SSSD by adding local overrides of the user shell to
"/usr/bin/tlog-rec". When tlog-rec is spawned in the role of the shell, it
sets up terminal I/O recording and then spawns the shell specified in
"TLOG_REC_SHELL".
This can be tested by logging as any user and checking if TLOG_REC_SHELL
variable is set to the original (non-overridden) shell.
This is a draft patch and code and design change suggestions are welcome.
Thank you.
Nick
[1] https://github.com/Scribery/tlog
7 years, 11 months
Re: DDNS: Use nsupdate keywords for all transactions
by Pavel Reichl
On 11/23/2015 04:32 PM, Petr Spacek wrote:
> On 23.11.2015 13:53, Pavel Reichl wrote:
>> On 11/20/2015 05:35 PM, Jakub Hrozek wrote:
>>> On Fri, Nov 20, 2015 at 03:57:04PM +0100, Pavel Reichl wrote:
>>>> Hello,
>>>>
>>>> please see attached patch.
>>>>
>>>> Thanks!
>>>
>>> Could you ask Petr Spacek to do a conceptual review? Somebody else (me
>>> of noone else is interested) can then do the code-review but I don't
>>> think our team has as good experience in handling nsupdate details..
>>>
>>
>> Hello Petr, could you do the conceptual review as Jakub wishes?
>>
>> I hope it should not be too hard as what we change in the patches is
>> generation of a textual message for nsupdate and it's tested I dare to say
>> thoroughly.
>
> Sure, just send me a link :-) I do not see it the message above.
>
Sure, hope the link will work for you:
https://lists.fedorahosted.org/archives/list/sssd-devel%40lists.fedorahos...
7 years, 11 months
