See commit message for details.
Two configurations needs to be tested -- a domain with
use_fully_qualified_name = true and configuration with IPA-AD trusts
where default_domain_suffix is set to AD domain.
this patch is the SSSD part of the Authentication Indicator related
changes in FreeIPA. The basic part is that now it is possible to
authenticate at will with either password or 2FA as described on
To test you need a FreeIPA server build from the FreeIPA master branch
and optionally Nathaniel's '[PATCH 0093] Enable service authentication
indicator management' which is currently under review for the kvno
related test. Additionally you need MIT Kerberos packages which contain
the fix for https://bugzilla.redhat.com//show_bug.cgi?id=1340304.
Since this patch changes how libkrb5 gets the password for password
authentication with newer version of MIT Kerberos it would be nice if
someone can run some regression tests with the AD or plain KRB5
please see the attached patch. I didn't find any information in the ssh
man pages about the expected error codes from the AuthorizedKeysCommand,
but I think we should at least suppress the error messages..
I tested with:
$ sss_ssh_authorizedkeys root
$ sss_ssh_authorizedkeys user-from-passwd
$ sss_ssh_authorizedkeys user-from-ipa
$ sss_ssh_authorizedkeys non-existing-user
The first three should be silent, the last one still prints an error
message. I think that's acceptable, because I would expect ssh to call
getpwnam() on its own before calling the AuthorizedKeysCommand.
To reproduce, just run:
getent netgroup some_name(a)trusted.domain
Please see the commit message for explanation. The other solution would
be the other way around, ie always go to the code that handles lookups
for trusted domains and shortcut if the lookup is for anything else than
a user or a group.
I'm resending a patch for ticket #2870 on behalf of the original
reporter who also kindly submitted a patch.
The patch looks good to me, as soon as we fix CI, I'll submit it as well
and I think we can push it..
This patchset implements a new responder like service in SSSD called
secrets. It uses the Custodia project API to offer a service where
applications/users can store secrets in a way that makes requests
remotizable and routable with a high degree of configurability (esp, in
conjunction with a Custodia proxy).
Included are also accessory patches to change the monitor and other
aspects of service startup and monitoring necessary to have this new
kind of service which is more independent than the pam/nss based
There is no testsuite for the service yet.
The work is also not complete in that the monitor does not start the
service yet, I have an experimental unit file I am working on but it is
not fully functional and not included yet..
I do not expect all patches to be accepted right away, but they all work
individually (manually tested), but I think it is a good time to start
review and bring in what works, as we are going to spread some of the
remaining work across multiple people.
Simo Sorce * Red Hat, Inc * New York
this patch adds a new plugin similar to the one for the cifs-utils which
allows winbind to use the same id-mapping as SSSD.
Currently I only added it to the dlopen test because I think it would be
best to test it directly when Samba becomes available in the CI.
See patches in attachment that
are part of solution for
There are few ding libs patches. The
first is unrelated, but I just added
some missing trace info.
The second is a patch for new parser
flag that Dmitri wrote in discussion
I modified the patch a little so I can
not ack it (the check was necessary on one
more place, so I added it there).
The third ding libs patch ads unit test
for the new flag. I decided to add a new
check based test rather than adding
the test to ini_parse_ut.c. So it is
the only test in the suite for now.
There is also a patch for SSSD attached
that can take advantage of this flag
to solve GPO issues once the new version
of ding libs is released.
the patches are finally ready to be tested and reviewed. It is too huge
to be sent to the list so please checkout my fedorapeople or github repo:
Subdomain handlers are not yet converted so subdomain support is
disabled, otherwise everything should work although I'm sure you'll find
I managed to do some simple tests (initgroups, authentication) with ldap
provider so far and will continue testing and fixing so if you find a
bug make sure you run with the latest version before reporting it please :-)
Since the changes touch almost all areas of SSSD I encourage everyone to
run and try. Some handlers were converted quite easily, some took more
handy work. Areas that are most likely to contain some bugs are these
(please give it extra attention):
- proxy provider
- if group membership changes during initgroups, nss memory cache should
be clear through dbus call
- selinux support
- hbac support
- change password
- password migration (ipa)
Don't be alarmed with the number of new lines -- there is not that many
changes. I copied all touched files and suffixed them with _new so sssd
can be compiled and kept working until the latest patches. I also wanted
to keep the original code intact for comparison (it was easier for
development and it may be handy for bug chasing), you can simply use
some diff tool to see the changes. We can squash it in the end.
When I will be confident that the patches are stable I will do some
clean up and remove content that is no longer needed.
Our users constantly make the mistake of typing `debug = 9` in the sssd.conf
instead of `debug_level = 9` as would be correct. This happens frequently-enough
that we should just alias it rather than continue to have people make mistakes.