December 2017 - sssd-devel - Fedora Mailing-Lists

[sssd PR#477][opened] SYSDB: Return EOK in case a non-fatal issue happened

by fidencio

URL: https://github.com/SSSD/sssd/pull/477 Author: fidencio Title: #477: SYSDB: Return EOK in case a non-fatal issue happened Action: opened PR body: """ There may be the case where we aren't able to merge the timestamps from the fast ts db, which are treated as non-fatal issues. In case it happens, let's return EOK instead of propagating the non-fatal error. NOTE: I'm not sure whether it's an issue or not, but I've realized that while taking a look at a covscan issue found downstream. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/477/head:pr477 git checkout pr477

6 years, 3 months

3
5
0 / 0

[sssd PR#400][opened] PAM: Avoid overwriting pam_status in _lookup_by_cert_done()

by fidencio

URL: https://github.com/SSSD/sssd/pull/400 Author: fidencio Title: #400: PAM: Avoid overwriting pam_status in _lookup_by_cert_done() Action: opened PR body: """ In case add_pam_cert_response() failed pam_status has to be set to PAM_AUTHINFO_UNAVAIL. Although it's done properly in the code, pam_status was overwritten just after the if block with PAM_SUCCESS. The original faulty code was added as part of 32474fa2f0. Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/400/head:pr400 git checkout pr400

6 years, 4 months

3
6
0 / 0

[sssd PR#482][opened] MAN: Improve enumeration documentation

by jhrozek

URL: https://github.com/SSSD/sssd/pull/482 Author: jhrozek Title: #482: MAN: Improve enumeration documentation Action: opened PR body: """ Clarifies several issues about enumeration that should hopefully further decrease the usage of enumeration across sssd install base. Resolves: https://pagure.io/SSSD/sssd/issue/3486 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/482/head:pr482 git checkout pr482

6 years, 4 months

3
6
0 / 0

[sssd PR#479][opened] MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type

by jhrozek

URL: https://github.com/SSSD/sssd/pull/479 Author: jhrozek Title: #479: MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3547 The IPA and AD auth and access providers rely (often for performance reasons) on certain properties that are set during the user or group resolution with the same provider type. However, there are users who wish to combine different provider types, typically to use identities from local UNIX files but authenticate against a remote server. We should discourage that in our documentation But at the same time, I think flat our failing would be too harsh...I was also thinking about printing a DEBUG message during initialization, if the reviewer thinks this is a good idea, I'll do that as well. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/479/head:pr479 git checkout pr479

6 years, 4 months

4
11
0 / 0

Requesting help with files provider ticket 3402 implementation

by Justin Stephenson

Hello, I have been working on this ticket[1] to allow selection of file paths for alternate passwd and group files to be used with the files provider. First, just to make sure I am not completely on the wrong track I would like to ask for someone to take a quick look at the current work-in-progress code I have here in my SSSD fork to validate that it matches up with the expected implementation. https://github.com/SSSD/sssd/compare/master...justin-stephenson:jstephen-... Second, assuming I am not completely off track I would appreciate any help on a code problem I am having here when sf_init() gets called to setup watches on the passwd_files and group_files lists, the list values are corrupted or inaccessible. I started off with the code from the function files_init_alt_files() inside sssm_files_init() directly and everything works as expected, the problem started when I moved the code into this separate function. The list values are retrieved from the new alt_passwd_files and alt_group_files options or default to /etc/passwd and /etc/group files. Inside sssm_files_init() I am able to access the correct values of each string element in the list but when sf_init() is called the list is corrupt or I am performing some undefined behavior that I cannot determine. The debug log look something like this in my testing when three different files are provided to the new conf options. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found passwd file: [/etc/passwd]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found passwd file: [/opt/testpasswd]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found passwd file: [/usr/passwd]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found group file: [/etc/group]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found group file: [/opt/testgroup]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sssm_files_init] (0x0400): Found group file: [/usr/group]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up passwd watch on [/etc/passwd]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 17 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 2 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [_snotify_create] (0x0400): Added a watch for /etc/passwd with inotify flags 0xD88 internal flags 0x1 using function fn after delay 0.0 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up passwd watch on [`<DE><F6>^]hU]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 18 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch -1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [_snotify_create] (0x0400): Added a watch for `<DE><F6>^]hU with inotify flags 0xD88 internal flags 0x1 using function fn after delay 0.0 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up passwd watch on [/etc/passwd]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 19 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 2 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [_snotify_create] (0x0400): Added a watch for /etc/passwd with inotify flags 0xD88 internal flags 0x1 using function fn after delay 0.0 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up group watch on [/etc/group]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 20 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 2 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [_snotify_create] (0x0400): Added a watch for /etc/group with inotify flags 0xD88 internal flags 0x1 using function fn after delay 0.0 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up group watch on [^Q]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 21 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch -1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [_snotify_create] (0x0400): Added a watch for ^Q with inotify flags 0xD88 internal flags 0x1 using function fn after delay 0.0 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [sf_init] (0x0400): Setting up group watch on [/usr/group]. (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened inotify fd 22 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened file watch 1 (Wed Dec 20 10:02:48 2017) [sssd[be[files]]] [snotify_watch] (0x2000): Opened directory watch 2 Lastly, if there are other considerations I have missed here regarding files provider logic please let me know and i'll work on it. Any input is much appreciated, thank you. [1] https://pagure.io/SSSD/sssd/issue/3402 Kind regards, Justin Stephenson

6 years, 4 months

2
2
0 / 0

RFC: SSSD 1.16.1 release contents

by Jakub Hrozek

Hi Timo, Howard and sssd-devel list, Per Timo’s request (which makes sense also in general as we didn’t release for some time), we’d like to release the 1.16.1 upstream tarball before the Christmas break. Because I don’t want to plan any important work for the last week before Christmas, the tentative date we’re thinking about is December 15th. Would that work for you or would it disrupt any of your distributions schedule? As per the contents, the only ticket that must be included in the remaining week are fixes for regressions: https://pagure.io/SSSD/sssd/roadmap?status=Open&tag=regression&milestone=... Are there any other tickets that you think should be fixed in 1.16.1? btw the plan for us is to triage the (ridiculously long) 1.16.1 milestone by the beginning to only include user-facing bugs, move other tickets (RFEs/internal changes) to later releases and switch the 1.16.x release stream to bugfix-only. All the user-facing tickets that won’t make the 1.16.1 cut would be moved to 1.16.2. I think we should do at least one more 1.16 release, but whether we do more would also depend on you distribution schedule..see also my other e-mail about SSSD 2.0.. Thanks for your help!

6 years, 4 months

2
3
0 / 0

1.16.1 milestone cleanup

by Jakub Hrozek

Hi, it's Christmas cleaning time! Because we should switch the 1.16.x branch into bugfixing mode, let's move the majority of tickets out of the 1.16.1 milestone. I tagged all the issues (except 1.16.1 blockers that should stay) with where I propose we should move the tickets. Bug fixes that affect our users should be moved to 1.16.2: https://pagure.io/SSSD/sssd/roadmap?status=Open&tag=postpone-to-1-16-2&mi... Most fixes would be for now moved to 2.0: https://pagure.io/SSSD/sssd/roadmap?status=Open&tag=postpone-to-2-0&miles... Of course this would cause the 2.0 milestone to be too big and I wonder what do others think would be the best decision. Setting priorities and encouraging developers to work on tickets with decreasing priority? Or creating a tiny 2.0 milestone and a backlog? I would prefer the backlog, even though it's been turning into a wishlist in previous releases.. Finally, there are some tickets that can IMO be moved even further, either to future releases: https://pagure.io/SSSD/sssd/roadmap?status=Open&tag=postpone-to-future-re... or even to patches welcome: https://pagure.io/SSSD/sssd/roadmap?status=Open&tag=postpone-to-patches-w... I'll be glad to hear other opinions!

6 years, 4 months

1
0
0 / 0

[sssd PR#478][opened] ifp: use realloc in ifp_list_ctx_remaining_capacity()

by sumit-bose

URL: https://github.com/SSSD/sssd/pull/478 Author: sumit-bose Title: #478: ifp: use realloc in ifp_list_ctx_remaining_capacity() Action: opened PR body: """ ifp_list_ctx_remaining_capacity() might be called multiple times if results from multiple domains are added to the result list. The current use of talloc_zero_array() will override results which are already in the list. This patch replaces it with talloc_realloc(). Resolves https://pagure.io/SSSD/sssd/issue/3608 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/478/head:pr478 git checkout pr478

6 years, 4 months

3
8
0 / 0

Design document: A tool to print access control report for IPA clients

by Jakub Hrozek

Hi, below is a short design page about a new sssctl command that prints the IPA HBAC rules cached on an IPA client. If there are no comments, I'll open a PR against the docs repository. Generate an access control report for IPA domains ================================================= Related ticket(s): ------------------ https://pagure.io/SSSD/sssd/issue/2840 Problem statement ----------------- Some environments require, for auditing reasons, to generate an access control report on the IPA client itself. While it can be argued that generating these reports on the IPA servers instead would provide a nicer experience, the audits requirement sometimes need a tool to be run on the host. Use cases --------- As an owner of an IPA client I need to know which users have access to this client. I want to run a tool on the host and get a report who can access it. The reports must contain information about HBAC rules. In future, SUDO rules would be nice to have as well. Overview of the solution ------------------------ A new ``sssctl`` command called ``access-report``. will be added. This command will only be implemented for IPA domains for now, other domain types will just return an error. The functionality of the command will first trigger PAM access control call to force refresh of the rules and subsequently print all HBAC rule objects from the cache. Configuration changes --------------------- None, only the new tool will be implemented. Implementation details ---------------------- In order to trigger the refresh of rules by ``sssd_be`` process, the tool will call ``pam_acct_mgmt(3)``. The ``user`` and ``service`` that are used in that call will have sensible defaults (e.g. ``admin`` and ``system-auth``) but the tool will also offer command-line switches to override both. In addition, the tool will have a switch to operate purely from cache. For printing the rules, the tool will simply call ``ldb_search``, retrieve all objects of objectclass ``ipaHbacRule`` and then print the RDN value of ``memberUser`` (for users and user groups), ``memberService`` (for services and service groups) and ``category``. By default, groups will not be unrolled, because the ``getgrnam`` interface limits the group nesting by default, therefore it is better to just print the group name, not all the group members. The tool must also print the output in both human-readable and machine-readable formats. For machine readable output, JSON is the best choice, since the KCM responder already depends on ``libjansson.`` How To Test ----------- Run ``sssctl access-report`` on an IPA client with different HBAC rules stored in the cache. Make sure all options produce the desired results. How To Debug ------------ Debug messages will be added to the tool itself. To compare the output with the cache contents, the ``ldbsearch`` tool can be used. The ``ipa`` administration tool can be used to display the server-side HBAC rules. Authors ------- * Jakub Hrozek

6 years, 4 months

2
5
0 / 0

[sssd PR#379][opened] CI: Enable pep8 check

by fidencio

URL: https://github.com/SSSD/sssd/pull/379 Author: fidencio Title: #379: CI: Enable pep8 check Action: opened PR body: """ As said by the commit log, this PR enables pep8 check in our CI. I really would appreciate to hear @lslebodn's feedback on the patch itself, so I can revisit the commit dropped by @jhrozek that fixes all pep8 warnings and have it added to this series. Anyways, the feedback I'm looking for is basically: Is this patch desired? Is this the right approach? If not, what would you suggest? """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/379/head:pr379 git checkout pr379

6 years, 4 months

4
48
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel December 2017