[sssd PR#127][opened] ssh: use cache_req
by fidencio
URL: https://github.com/SSSD/sssd/pull/127
Author: pbrezina
Title: #127: ssh: use cache_req
Action: opened
PR body:
"""
This patches makes SSH responder use the cache_req interface.
Since this responder uses that same `cache-domain-cache` lookup logic
for host certificates I implemented `host by name` request in `cache_req`.
In order to achieve this I moved data provider lookup function from `cache_req`
code into plugins.
The first two patches fixes minor issues in the SSH responder and should be
pushed to earlier versions as well. The first patch fix a little issue
introduced probably by overrides and the second patch removes name qualification
since it is already qualified in the sysdb since fqname patches.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/127/head:pr127
git checkout pr127
7 years, 1 month
[sssd PR#66][opened] Minor Dynamic DNS fixes
by fidencio
URL: https://github.com/SSSD/sssd/pull/66
Author: justin-stephenson
Title: #66: Minor Dynamic DNS fixes
Action: opened
PR body:
"""
To provide a bit more information, one of the fixes is to correct NULL being printed here(https://fedorahosted.org/sssd/ticket/3220):
[nsupdate_msg_create_common] (0x0200): Creating update message for realm [(null)].
For the other(https://bugzilla.redhat.com/show_bug.cgi?id=1386748), It is not uncommon for nsupdate to successfully update DNS records but report the error below which results in return(2) to be called inside nsupdate code
TSIG error with server: tsig verify failure
It is easy to reproduce with AD DNS changing Dynamic DNS to 'Nonsecure and secure' on the Zone Properties.
This patch allows PTR records to continue when this happens, however in this case our debug log messages still report failure and I think some improvement should be made here(not sure how exactly though)
[child_sig_handler] (0x1000): Waiting for child [3710].
[nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
[child_sig_handler] (0x0020): child [3710] failed with status [2].
[be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158238]: Dynamic DNS update failed
It would be nice to correct this at the nsupdate level if this is not the expected behavior also.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/66/head:pr66
git checkout pr66
7 years, 2 months
[sssd PR#106][opened] Add a new "files" provider
by fidencio
URL: https://github.com/SSSD/sssd/pull/106
Author: jhrozek
Title: #106: Add a new "files" provider
Action: opened
PR body:
"""
This patch set implements a new provider that mirrors the contents of passwd and groups files. The intent is to make these users and groups available through the SSSD memory cache to improve performance and make it possible to read extended attributes via the sssd D-Bus interface.
As the next step, we will implement a writable D-Bus interface to make it possible to also manage local users with an API and supersede the AccountService API.
At the moment, the domain must be enabled explicitly. When this branch is merged, another commit would also enable the files domain for all installations by default.
In order to make the resolution precise, the files domain is disabled once an inotify notification arrives During testing, I realized there might be a delay between changing the UNIX files by replacing them and *receiving* the inotify notification. Therefore the tests add a sleep as well. That's not nice and I would be glad if the reviewer can spot how to speed up the inotify notification receiving.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/106/head:pr106
git checkout pr106
7 years, 2 months
[sssd PR#138][opened] IPA: Skip conflict entries associated with sudo rules
by fidencio
URL: https://github.com/SSSD/sssd/pull/138
Author: justin-stephenson
Title: #138: IPA: Skip conflict entries associated with sudo rules
Action: opened
PR body:
"""
SSSD retrieves sudo rule information from the IPA LDAP tree, conflict entries will cause problems for SSSD and disallow sudo access when SSSD code is parsing entries associated with sudo rules. This PR sets a skip_entry boolean when it is appropriate and skips over these conflict entries.
Ticket: https://fedorahosted.org/sssd/ticket/3288
Reproducer steps: Create host conflict entry and associate it with a sudo rule that is assigned to certain hosts, attempt to sudo as IDM user. I had some difficulty attempting to force replication issues causing the creation of a conflict entry, the below manual ldapmodify steps will work also:
- Retrieve the DN of the sudoRule
`# ipa sudorule-find --all --raw | grep 'dn: '
dn: ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local`
- Run ldapmodify similar to below
dn: ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local
changetype: modify
add: memberHost
memberHost: fqdn=testhost.jstephen.local+nsuniqueid=cb3d7383-ddb511e6-8c9996c1-71a1e36a,cn=computers,cn=accounts,dc=jstephen,dc=local
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/138/head:pr138
git checkout pr138
7 years, 2 months
[sssd PR#108][opened] Partially revert "CONFIG: Use default config when none provided"
by fidencio
URL: https://github.com/SSSD/sssd/pull/108
Author: lslebodn
Title: #108: Partially revert "CONFIG: Use default config when none provided"
Action: opened
PR body:
"""
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
Removed is copying of default configuration into /etc/sssd/sssd.conf
Sample configurations is still part of installation.
Copying default configuration from /usr/lib64/sssd/conf/sssd.conf -> /etc/sssd/sssd.conf
is not the best idea. There are better way how to use default configuration
and we will need to change anyway due to files provider.
I can revert sample configuration as well.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/108/head:pr108
git checkout pr108
7 years, 2 months
[sssd PR#112][opened] FAILOVER: Improve port status log messages
by fidencio
URL: https://github.com/SSSD/sssd/pull/112
Author: justin-stephenson
Title: #112: FAILOVER: Improve port status log messages
Action: opened
PR body:
"""
This PR is created to ensure administrators do not follow the wrong path troubleshooting issues, especially with messages such as:
`Port status of port 636 for server 'server' is 'not working'`
This patch should help to clarify that there is no direct relationship between port status and actual networking status.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/112/head:pr112
git checkout pr112
7 years, 2 months