[sssd PR#277][opened] CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_s…
by fidencio
URL: https://github.com/SSSD/sssd/pull/277
Author: fidencio
Title: #277: CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_s…
Action: opened
PR body:
"""
…end()
cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.
This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.
There are basically two really easy ways to test this issue:
1) Using enumeration:
- Set "enumerate = True" in the domain section
- restart SSSD cleaning up the cache;
- Wait a little bit till the enumerated users are cached
- id <uid of a user who is part of the filter_users>
2) Not using enumeration:
- getent passwd <uid of a user who is part of the filter_users>
- Wait a little bit till the user is cached
- id <same uid used above>
Related:
https://pagure.io/SSSD/sssd/issue/3362
Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/277/head:pr277
git checkout pr277
6 years, 10 months
[sssd PR#298][opened] pam_sss: Fix checking of empty string cert_user
by lslebodn
URL: https://github.com/SSSD/sssd/pull/298
Author: lslebodn
Title: #298: pam_sss: Fix checking of empty string cert_user
Action: opened
PR body:
"""
src/sss_client/pam_sss.c: In function ‘eval_response’:
src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^~
src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer?
if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
^
src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
&& pi->cert_user != '\0') {
^~
src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer?
&& pi->cert_user != '\0') {
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/298/head:pr298
git checkout pr298
6 years, 10 months
[sssd PR#296][opened] TESTS: Add one config-check test case
by mzidek-rh
URL: https://github.com/SSSD/sssd/pull/296
Author: mzidek-rh
Title: #296: TESTS: Add one config-check test case
Action: opened
PR body:
"""
Add test case with wrong subdomain section format, where the too many
domains are used to identify the trusted domain instead of just the
connected domain and the one trusted domain that is being configured.
This test case came out of discussion I had a while ago with Fabiano when we came to conclusion that some people may try to falsely set the subdomain configuration by putting all domains in the forest between the connected domain and the trusted domain. Fabiano suggested it would be good to have explicit tests for this in the config-check tests and I agreed :)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/296/head:pr296
git checkout pr296
6 years, 10 months
Changes to default ccache in krb5.conf
by Lukas Slebodnik
ehlo,
I had a discussion with QEs and realized that sssd need to be restarted
if default_ccache_name is changed in krb5 configuration files.
The reason is that we cache the value but do not refresh it.
https://pagure.io/SSSD/sssd/blob/master/f/src/providers/krb5/krb5_common....
We might changed that using inotify. But we would need to change.
I am not sure whether it will be trivail to change because we would need to
change cached value in "struct dp_option *opts" for all domains (including
subdomains)
ATM the safest way is to restart sssd. But do we want to be more flexible here?
LS
6 years, 10 months
[sssd PR#268][opened] pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/268
Author: sumit-bose
Title: #268: pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT
Action: opened
PR body:
"""
This patchset got lost when I prepared the certificate mapping patch set.
Applications like gdm with enabled Smartcard support will try to determine the
user based on data from the certificate or expected that it is done for them
and hence do not prompt for a user name. If a certificate is mapped to multiple
accounts this cannot work because it is not clear which account should be used.
In this case a 'user name hint' must be given by the user to help the
application to find the right user.
To get a consistent user experience while still only prompt for a PIN in
environments where a certificate is uniquely mapped to only a single user IPA
offers the 'ipa certmapconfig-mod --promptusername=BOOL' command to switch
'user name hinting' on or off.
To test the behavior 'sssctl user-checks' can be used.
/etc/pam.d/smartcart-auth should be configured for SSSD and like:
...
auth required pam_env.so
auth sufficient pam_sss.so allow_missing_name
auth required pam_deny.so
...
If now a Smartcard in inserted where the certificate is mapped to multiple
users you will see:
user:
action: auth
service: gdm-smartcard
testing pam_authenticate
PIN for AD.DEVEL Admin (OpenSC Card)
User name hint:
pam_authenticate for user []: Authentication failure
PAM Environment:
- PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card)
if no user name hint is given and
user:
action: auth
service: gdm-smartcard
testing pam_authenticate
PIN for AD.DEVEL Admin (OpenSC Card)
User name hint: scuser
pam_authenticate for user [scuser]: Success
PAM Environment:
- PKCS11_LOGIN_TOKEN_NAME=AD.DEVEL Admin (OpenSC Card)
if a suitable user name hint was given.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/268/head:pr268
git checkout pr268
6 years, 10 months
[sssd PR#294][opened] KRB5: Fix access_provider=krb5
by jhrozek
URL: https://github.com/SSSD/sssd/pull/294
Author: jhrozek
Title: #294: KRB5: Fix access_provider=krb5
Action: opened
PR body:
"""
Resolves:
https://pagure.io/SSSD/sssd/issue/3418
The domain type (posix or not) was being sent to the krb5_child always, but
the buffer only had enough space in case of authentication, not
authorization.
This patch makes the buffer one uint32_t unit larger.
To reproduce, just set up sssd.conf with:
```
access_provider = krb5
```
Without the patch, you would see messages like:
```
==14111== Invalid write of size 2
==14111== at 0x4C3041B: memcpy@(a)GLIBC_2.14 (vg_replace_strmem.c:1018)
==14111== by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
==14111== by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish
(sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id
(sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate
(tevent_immediate.c:135)
==14111== Address 0x126ab506 is 150 bytes inside a block of size 151
alloc'd
==14111== at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==14111== by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
==14111== by 0x944D7F4: __talloc (talloc.c:739)
==14111== by 0x944D7F4: _talloc_named_const (talloc.c:896)
==14111== by 0x944D7F4: talloc_named_const (talloc.c:1675)
==14111== by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
==14111== by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
==14111== by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
==14111== by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
==14111== by 0x418868: file_dp_request (dp_request.c:254)
==14111== by 0x418976: dp_req_send (dp_request.c:300)
==14111== by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
==14111== by 0x52B3456: sbus_request_invoke_or_finish
(sssd_dbus_request.c:71)
==14111== by 0x52B0F37: sbus_message_handler_got_caller_id
(sssd_dbus_interface.c:1048)
==14111== by 0x923C923: tevent_common_loop_immediate
(tevent_immediate.c:135)
```
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/294/head:pr294
git checkout pr294
6 years, 10 months
