sssd-devel November 2017

sssd-devel@lists.fedorahosted.org

10 participants
210 discussions

[sssd PR#247][opened] Subdomain inherit
by mzidek-rh 21 May '18

21 May '18

URL: https://github.com/SSSD/sssd/pull/247 Author: mzidek-rh Title: #247: Subdomain inherit Action: opened PR body: """ I tested if the options that work in subdomain inherit also work in trusted domain section in sssd.conf. Most seem to work without any changes in the code except for two. With these two patches only one that does not work remains (I wanted to send patchset that adds all the options, but I got stuck on the option that sets the ldap principal, so I am sending this in the meantime). """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/247/head:pr247 git checkout pr247

4 13

[sssd PR#128][opened] Fix group renaming issue when "id_provider = ldap" is set
by fidencio 25 Apr '18

25 Apr '18

URL: https://github.com/SSSD/sssd/pull/128 Author: fidencio Title: #128: Fix group renaming issue when "id_provider = ldap" is set Action: opened PR body: """ Those two patches fix https://bugzilla.redhat.com/show_bug.cgi?id=1401241 The sssd.conf used in order to reproduce this issue looks like: ``` [sssd] config_file_version = 2 services = nss, pam domains = ad.fidencio.lan [nss] [pam] [domain/ad.fidencio.lan] ad_domain = ad.fidencio.lan krb5_realm = AD.FIDENCIO.LAN realmd_tags = manages-system joined-with-adcli cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d ldap_referrals = false enumerate = false id_provider = ldap #id_provider = ad auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_schema = ad ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ``` The reproducer can be found in the bug report. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/128/head:pr128 git checkout pr128

5 90

[sssd PR#378][opened] [RFC] Use GNULIB's compiler warning code
by fidencio 12 Apr '18

12 Apr '18

URL: https://github.com/SSSD/sssd/pull/378 Author: fidencio Title: #378: [RFC] Use GNULIB's compiler warning code Action: opened PR body: """ This is the 3rd tentative to have this patch reviewed. For more references, please, see: PR #50. So, I've re-worked those patches a little bit and here is the time difference when running reconfing with the patches: ``` real 0m26.047s user 0m21.318s sys 0m4.635s ``` And now without: ``` real 0m25.565s user 0m20.696s sys 0m4.433s ``` This patch set is rebased on top of PR #377. I really would appreciate if someone could review and give their opinion. The reason this PR was blocked is because this time difference has been considered a "performance issue". @jhrozek , could you take a look on this? """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/378/head:pr378 git checkout pr378

4 32

[sssd PR#391][opened] Use dbus-daemon in cwrap enviroment for test
by lslebodn 23 Feb '18

23 Feb '18

URL: https://github.com/SSSD/sssd/pull/391 Author: lslebodn Title: #391: Use dbus-daemon in cwrap enviroment for test Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/391/head:pr391 git checkout pr391

3 25

[sssd PR#442][opened] LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth
by fidencio 22 Feb '18

22 Feb '18

URL: https://github.com/SSSD/sssd/pull/442 Author: fidencio Title: #442: LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth Action: opened PR body: """ Because we weren't treating the errors coming from sdap_cli_connect_recv() properly we ended up introducing a regression in the commit add72860c7, related to offline authentication. From now on, let's properly treat errors coming from auth_connect_send(), which were treated before by going offline when be_resolve_server_recv() failed, and propagate ETIMEDOUT to the request, thus going offline and allowing offline authentication on those cases. This patch fixes the regression reported by Lukáš on https://bugzilla.redhat.com/show_bug.cgi?id=1459609#c9. (And I have to say a big thanks for finding this out!) Related: https://pagure.io/SSSD/sssd/issue/3451 Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/442/head:pr442 git checkout pr442

3 8

[sssd PR#394][opened] TESTS: Add an integration test for renaming incomplete groups during initgroups
by jhrozek 19 Feb '18

19 Feb '18

URL: https://github.com/SSSD/sssd/pull/394 Author: jhrozek Title: #394: TESTS: Add an integration test for renaming incomplete groups during initgroups Action: opened PR body: """ This PR depends on https://github.com/SSSD/sssd/pull/128 Adds two regression tests for https://pagure.io/SSSD/sssd/issue/3282 As we implemented the group renaming heuristics to rename only if we can use another "hint" like the original DN or the SID to know the group is the same, this patch adds two tests (positive and negative) to make sure a group with a totally different RDN and hence different originalDN cannot be renamed but a group whose name changed but the RDN stays the same can be renamed. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/394/head:pr394 git checkout pr394

2 7

[sssd PR#237][opened] providers: Move hostid from ipa to sdap
by hvenev 09 Feb '18

09 Feb '18

URL: https://github.com/SSSD/sssd/pull/237 Author: hvenev Title: #237: providers: Move hostid from ipa to sdap Action: opened PR body: """ This just makes sss_ssh_knownhostsproxy work. There is no support for hostgroups (although hostgroups in `ipa` should continue working). I've been using this for a few days with the `ldap` and `krb5` providers and I haven't noticed any regressions. I haven't tested `ipa` and `ad` but all tests seem to pass. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/237/head:pr237 git checkout pr237

6 38

[sssd PR#438][opened] krb5_child: Distinguish between expired & disabled AD user
by lslebodn 07 Feb '18

07 Feb '18

URL: https://github.com/SSSD/sssd/pull/438 Author: lslebodn Title: #438: krb5_child: Distinguish between expired & disabled AD user Action: opened PR body: """ This is an updated version of patchset which was prepared a long time ago. It had to be changed due to commit 78027feeb56d6fe216f699be86a4716aaef3f628 which introduced different handling of password due to conditional build in `password_or_responder` I did not test with older version of krb5 which does not have defined`HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER` It was initially discussed on sssd-devel https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.… as part of mail thread https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.… and @simo5 did most of review at that time. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/438/head:pr438 git checkout pr438

3 10

SSSD Virtual Test Suite
by Pavel Březina 06 Feb '18

06 Feb '18

Hello, It took me a lot longer than I expected but here it is at last. This is my set of scripts that use vagrant and Ansible to automatically provision virtual environment that I use to develop and test SSSD. To create this environment you only need to run one command: $ ./setup.sh and after a while you have several machines provisioned and ready. This machines include LDAP, IPA and AD servers with one machine dedicated to SSSD. This machine is already enrolled to those servers. To start building and/or testing SSSD with all available providers, you can just run: $ vagrant ssh client Additionally, it allows you to automatically source your set of scripts on each login and access IPA web-ui from your browser. I tried to make the provisioning as fast as possible but it still takes approximately one hour on my machine. So be patient. Any ideas and patches for improvements are welcomed. The source is available at: https://github.com/pbrezina/sssd-test-suite

2 5

Design page: Automatic private group creation for the LDAP provider
by Jakub Hrozek 16 Jan '18

16 Jan '18

Hi, I wrote a design page about exposing the functionality that creates the user private groups based on the user entry only: https://pagure.io/fork/jhrozek/SSSD/docs/blob/mpg/f/design_pages/auto_priva… For your convenience, I'm also copying the design text in the RST format below. Once the design is approved, I'll propose a PR against the sssd/docs repository. Automatic Private Groups ======================== Related ticket(s): ------------------ https://pagure.io/SSSD/sssd/issue/1872 Problem statement ----------------- This change will enable SSSD to automatically generate private groups for users based on the UID number without the group actually being present as an LDAP object. Use cases --------- The primary use-case is ease of management. The LDAP administrator will only create the user object and add the user to supplementary groups as needed. This has two advantages: * There is one less object to manage and keep in sync with the user * In AD environments, it is not possible to create a user and a group with the same samAccountName, therefore even manually creating the private groups requires the admin to remap the group attribute to a non-default one since by default both users and groups use samAccountName. Overview of the solution ------------------------ Most of the low-level functionality in the sysdb layer had been developed for many years for use in the ``local`` provider. At the same time, there are also most of the infrastrucure ready in the LDAP provider, because the automatic private groups are used by default already for trusted domains. At the moment, the functionality is enabled internally by an option called ``mpg``, short for Magic-Private-Groups. On a high level, the private groups are not created in the SSSD cache at all, but the work is done by the NSS responder which generates the group reply based on the user object only. However, since the ``mpg`` option was always set for truste Therefore, the majority of the work will be exposing the option in configuration and making sure all codepaths work equally well for joined domains as they do for trusted domains. Implementation details ---------------------- A new option needs to be added that would control the user private group creation. In the past, we've had an option called ``magic_private_groups`` and the internal boolean flag inside the ``sss_domain_info`` structure is still called ``mpg``. Instead of resurrecting the old option, we should introduce a newly named option that would be understood by admins better, such as ``auto_private_groups``. The new option must be read on SSSD startup and set the ``sss_domain_info->mpg`` flag, which is currently auto-enabled with sudomains only. The code branch that saves the user (currently ``sdap_save_user``) must be extended to allow setting the GID number to be the same as UID number for any domain that sets the ``mpg`` flag. Care must be taken to store the original GID number (if any) to the ``SYSDB_PRIMARY_GROUP_GIDNUM`` attribute which is then used by the NSS responder to add the original primary GID as a supplementary group. Finally, the group-by-GID LDAP request in the LDAP provider must be extended to make sure that if a private group GID is requested before the user is, the group request will also turn the group-by-GID request to a user-by-UID request which would save the user object which would then allow the NSS responder to auto-generate the group reply. Configuration changes --------------------- A new option ``auto_private_groups`` will be introduced. At the moment, it will only be possible to set the option for the joined domains as the trusted domains always create the private groups already by default. Therefore the only viable usage of this new option in a trusted domain would be `disabling` the functionality, which is out of scope of this RFE. The ``auto_private_groups`` option will default to ``false``. The new option must document that currently the cache must be removed when changing the option value. How To Test ----------- The primary use-cases are SSSD being a client of a generic LDAP server and SSSD on a Linux machine directly joined to an AD domain with ``id_provider=ad``. In both cases, setting the ``auto_private_groups`` option to ``true`` should result in the ``initgroups`` call returning the primary GID number of the user with the same value and resolving to the same name as the primary UID namber and the username. Other intefaces should produce symmetrical results, although at least in the case of the D-Bus based IFP interface, is it currently not the case, see `ticket #3543 <https://pagure.io/SSSD/sssd/issue/3543>`_. For example, here is an output of a test user with private groups autogenerated:: id puser(a)win.trust.test uid=20000(puser(a)win.trust.test) gid=20000(puser(a)win.trust.test) groups=20000(puser@win.trust.test),20002(user1_group2@win.trust.test),20001(user1_group1@win.trust.test),10000(pgroup@win.trust.test) and without:: id puser(a)win.trust.test uid=20000(puser(a)win.trust.test) gid=10000(pgroup(a)win.trust.test) groups=10000(pgroup@win.trust.test),20001(user1_group1@win.trust.test),20002(user1_group2@win.trust.test) Note that in the case of the private groups being generated, the original GID number is turned into a supplementary group by the initgroups call. How To Debug ------------ There's not much extra debugging added for this feature. Debugging this feature should amount to the usual checking of the debug logs. In addition, the cache can be inspected with the ``ldbsearch`` tool to make sure all the groups are saved as expected as well as the ``SYSDB_PRIMARY_GROUP_GIDNUM`` attribute. Authors ------- * Jakub Hrozek <jhrozek(a)redhat.com>

2 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel November 2017