[PATCH] Change debug level of config error msgs
by Michal Židek
Hi,
I believe that this patch makes pinpointing
of config errors a little easier. Especially
when using sssctl tool that currently refuses
to start a command when there are syntax errors in
sssd.conf, but by default it does not print
problematic line number. Compare:
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la :
/usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
(Wed Jul 27 14:05:39:185114 2016) [sssd] [sss_ini_get_config] (0x0010):
Failed to parse configuration. Error 5.
(Wed Jul 27 14:05:39:185192 2016) [sssd] [sss_ini_get_config] (0x0010):
Errors detected while parsing: /etc/sssd/sssd.conf
(Wed Jul 27 14:05:39:185229 2016) [sssd] [confdb_init_db] (0x0010):
Failed to load configuration
(Wed Jul 27 14:05:39:185255 2016) [sssd] [confdb_setup] (0x0010): ConfDB
initialization has failed [5]: Input/output error
(Wed Jul 27 14:05:39:185288 2016) [sssd] [sss_tool_confdb_init]
(0x0010): Unable to setup ConfDB [5]: Input/output error
and:
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la :
/usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
(Wed Jul 27 14:22:51:096949 2016) [sssd] [sss_ini_get_config] (0x0010):
Failed to parse configuration. Error 5.
(Wed Jul 27 14:22:51:097173 2016) [sssd] [sss_ini_get_config] (0x0010):
Errors detected while parsing: /etc/sssd/sssd.conf
(Wed Jul 27 14:22:51:097490 2016) [sssd] [sss_ini_config_print_errors]
(0x0010): Error (2) on line 10: No closing bracket.
(Wed Jul 27 14:22:51:097946 2016) [sssd] [confdb_init_db] (0x0010):
Failed to load configuration
(Wed Jul 27 14:22:51:098452 2016) [sssd] [confdb_setup] (0x0010): ConfDB
initialization has failed [5]: Input/output error
(Wed Jul 27 14:22:51:098651 2016) [sssd] [sss_tool_confdb_init]
(0x0010): Unable to setup ConfDB [5]: Input/output error
Patch is attached.
Michal
7 years, 7 months
[PATCH] config: Some fixes to schema
by Michal Židek
Hi,
attached is patch for ticket
https://fedorahosted.org/sssd/ticket/3068
The ticket also talks about allowing options
for negative cache timeouts in all responders,
but I did not do that.
We do indeed initialize negative cache in all
responders, but we always read the timeouts
from NSS section. Also in the man pages, we only
document these options for NSS. So it is not
problem with the schema. I do agree that this is
not ideal, but should we fix it? I do not
think it is worth the time, but if someone thinks
otherwise, please open a ticket.
Michal
7 years, 7 months
[PATCHES] AD: netlogon_get_domain_info() allow missing arguments
by Sumit Bose
Hi,
it is possible that the CLAP/netlogon reply does not contain any site
data. In this case we should not fail but just use what we can get.
Especially when looking up the Global Catalog the forest name is needed.
If the site name is missing we still can use the forest name to lookup
the Global Catalog in DNS.
The first patch is not strictly related to the issue but since it fixes
a potential memory leak (we currently do not have it because only
short-lived memory contexts are used so far) I think it is worth adding
it here.
bye,
Sumit
7 years, 7 months
[PATCHES] User lookup and login by Kerberos alias and email
by Sumit Bose
Hi,
this patch set should fix https://fedorahosted.org/sssd/ticket/2958
"Support multiple principals for IPA users" so the IPA users can log in
with their Kerberos alias as well.
The overall code-path was already added for the UPN feature but had to
be extended at various places. The main difference is that the realm
part of the AD UPNs with an alternative domain suffix do not related to
a known domain name. The realm part from the Kerberos aliases can come
from any domain. The same is true for email addresses which are supported
by this patch set as well.
I know that Jakub had some concerns adding email addresses now and the
another attribute in the next version and so on. I would like to make
this scheme more generic so that the attributes which should be used for
login names can be configured. Unfortunately I didn't had the time do
already do it in this patch-set.
Adding a larger number of sources for the login name increases the
chance for collisions. But since each of the name types, Kerberos
principals and email addresses, are expected to be unique in their
domain, I hope the chances are still low enough.
bye,
Sumit
7 years, 8 months