[sssd PR#32][opened] Requesting a pull to SSSD:master from fidencio:wip/#3138
by fidencio
URL: https://github.com/SSSD/sssd/pull/32
Author: fidencio
Title: #32: Requesting a pull to SSSD:master from fidencio:wip/#3138
Action: opened
PR body:
"""
This patch series is intended to solve #3138 by adding a new service
that updates the confdb. As part of the series this service is used by
secrets service.
I only ran CI locally and the two secrets tests have been failing. /o\
Also, I've noticed some weird behavior, where the sssd-update-confdb
service starts for apparently no reason, when upgrading fedora
packages.
Anyways, these pieces of code really need some detailed review as it
was the first time I've been "seriously" playing with TEvent requests.
So, please, consider it more like an RFC than a well finished and
polished code.
Best Regards,
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/32/head:pr32
git checkout pr32
6 years, 9 months
[sssd PR#244][opened] KCM: Modify krb5 snippet file kcm_default_ccache
by lslebodn
URL: https://github.com/SSSD/sssd/pull/244
Author: lslebodn
Title: #244: KCM: Modify krb5 snippet file kcm_default_ccache
Action: opened
PR body:
"""
The file kcm_default_ccache must enable KCM ccache by default
without any modification of the file.
The patch also fixes few issues.
* /etc/krb5.conf.d is fedora/el7 specific and therefore should not
be created by make. File will be installed to $datadir/sssd-kcm by
default
* /etc/krb5.conf.d/ should not be owned by sssd-kcm because it is owned
by dependency of sssd-kcm (krb5-libs)
sh$ rpm -qf /etc/krb5.conf.d/
sssd-kcm-1.15.3-0.20170411.0929.gitdbeae4834.fc26.x86_64
krb5-libs-1.15.1-7.fc26.x86_64
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/244/head:pr244
git checkout pr244
6 years, 9 months
[sssd PR#289][opened] Check the timestamp cache during the users/groups cleanup
by fidencio
URL: https://github.com/SSSD/sssd/pull/289
Author: fidencio
Title: #289: Check the timestamp cache during the users/groups cleanup
Action: opened
PR body:
"""
This patch set basically changes the behaviour of the cleanup_user() and cleanup_groups() functions used by ldap_id_cleanup().
With the current behaviour the searches for the users/groups to be cleaned up are always done in the cache, while the up to date information about their expiration is kept in the timestamp cache.
So, in order to fix [3389](https://pagure.io/SSSD/sssd/issue/3369), let's perform the search in the timestamp cache whenever it's possible.
I'm really not sure whether the dn_filter I'm building is totally correct, so I'd like to ask whoever review this patchset to take a careful look that the last patch, specially in the cleanup_dn_filter() function.
The way I'm testing this issue is:
- I have a LDAP server with a few users and have the following options configured on sssd.conf:
```
enumerate = true
ldap_enumeration_refresh_timeout = 35
ldap_purge_cache_timeout = 60
entry_cache_timeout = 20
```
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/289/head:pr289
git checkout pr289
6 years, 10 months
[sssd PR#277][opened] CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_s…
by fidencio
URL: https://github.com/SSSD/sssd/pull/277
Author: fidencio
Title: #277: CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_s…
Action: opened
PR body:
"""
…end()
cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.
This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.
There are basically two really easy ways to test this issue:
1) Using enumeration:
- Set "enumerate = True" in the domain section
- restart SSSD cleaning up the cache;
- Wait a little bit till the enumerated users are cached
- id <uid of a user who is part of the filter_users>
2) Not using enumeration:
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the user is cached
- id <same uid used above>
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/277/head:pr277
git checkout pr277
6 years, 11 months
Changes to default ccache in krb5.conf
by Lukas Slebodnik
ehlo,
I had a discussion with QEs and realized that sssd need to be restarted
if default_ccache_name is changed in krb5 configuration files.
The reason is that we cache the value but do not refresh it.
https://pagure.io/SSSD/sssd/blob/master/f/src/providers/krb5/krb5_common....
We might changed that using inotify. But we would need to change.
I am not sure whether it will be trivail to change because we would need to
change cached value in "struct dp_option *opts" for all domains (including
subdomains)
ATM the safest way is to restart sssd. But do we want to be more flexible here?
LS
6 years, 11 months