October 2018 - sssd-devel - Fedora mailing-lists

[sssd PR#175][opened] Add module for starting services
by lslebodn 22 Nov '21

22 Nov '21

URL: https://github.com/SSSD/sssd/pull/175 Author: lslebodn Title: #175: Add module for starting services Action: opened PR body: """ This is a WIP version of reducing code duplication in our cwrap integration tests. I am still not sure whether we should also reuse function `create_sssd_fixture`. And if yes; then probably in different nodule then `services` And comments are welcome. BTW I wrote patches few weeks ago; therefore new tests are not converted. I am just sending patches to get some feedback. Site effect of this patches is that tests are cca 20% faster (IIRC) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/175/head:pr175 git checkout pr175

5 5

[sssd PR#616][opened] become_user: add supplementary groups so ad provider can access keytab
by asheplyakov 28 Jan '21

28 Jan '21

URL: https://github.com/SSSD/sssd/pull/616 Author: asheplyakov Title: #616: become_user: add supplementary groups so ad provider can access keytab Action: opened PR body: """ For security reasons one might want to run providers as a non-privileged user (say, _sssd). However some providers (in particular ad) might need an access to restricted (non world-readable) files (for instance, /etc/krb5.keytab). One of the possible ways to solve the problem is to - add a special group (for instance, _keytab) - set the owner:group of the file in question to root:_keytab - set the permissions of the file in question to 640 - make the _sssd user a member of the _keytab group For this to work become_user should assign supplementary groups, which is what this patch does. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/616/head:pr616 git checkout pr616

5 13

[sssd PR#269][opened] Add support for ActiveDirectory's logonHours restrictions
by NWilson 03 Sep '20

03 Sep '20

URL: https://github.com/SSSD/sssd/pull/269 Author: NWilson Title: #269: Add support for ActiveDirectory's logonHours restrictions Action: opened PR body: """ This is a straightforward patch for denying access to a user when the user is not permitted to access their account due to logonHours restrictions. This matches the default behaviour for domain-joined Windows machines. When outside the logonHours, all types of authentication are denied (password/Kerberos/certificate) - so it is appropriate to put this check inside the PAM "account" rules. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/269/head:pr269 git checkout pr269

9 30

[sssd PR#578][opened] proxy: proxy_child hardening
by amitkumar50 10 Aug '20

10 Aug '20

URL: https://github.com/SSSD/sssd/pull/578 Author: amitkumar50 Title: #578: proxy: proxy_child hardening Action: opened PR body: """ proxy_child will call chdir("/"), umask(022) and reset the environment with clearenv(). The --domain argument to be sanitized. Resolves: https://pagure.io/SSSD/sssd/issue/2689 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/578/head:pr578 git checkout pr578

5 14

[sssd PR#596][opened] [CONFDB]:[RFE] Add "enabled" option to domain section
by amitkumar50 24 Mar '20

24 Mar '20

URL: https://github.com/SSSD/sssd/pull/596 Author: amitkumar50 Title: #596: [CONFDB]:[RFE] Add "enabled" option to domain section Action: opened PR body: """ Upstream Request: Instead of enabling domains using the "domains" option in [sssd] section we could have [domain/*] option "enabled". This would allow admins to configure and enable domain in the same snippet file. This Fix would be submitted in 2 patches: Patch-1(This Patch): - Introduces 'enabled' option in domain section - Introduces 'CONFDB_DOMAIN_ENABLED' variable to retrieve enabled value from confdb - Code to call start_service() routine only for domains having enabled=1 Patch-2(Upcoming): - Would remove 'domains' option from sssd section. - Would remove corresponding code to parse 'domains' option - Providing a check that atlest One domain have enabled option set. Resolves: https://pagure.io/SSSD/sssd/issue/3735 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/596/head:pr596 git checkout pr596

7 12

[sssd PR#132][opened] Add "Wants=" to sssd unit and avoid PAC responder to be always running
by fidencio 02 Jan '20

02 Jan '20

URL: https://github.com/SSSD/sssd/pull/132 Author: fidencio Title: #132: Add "Wants=" to sssd unit and avoid PAC responder to be always running Action: opened PR body: """ The first patch changes the current logic of having the services' sockets disabled by default as it adds a "Wants=" to the sssd unit file, making all the services' sockets enabled by the moment sssd service is enabled. The second patch takes advantage of the first patch and avoids running PAC responder in case its socket is active, leaving the service to be socket-activated when needed. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/132/head:pr132 git checkout pr132

3 40

[sssd PR#646][opened] proxy: access provider directly not through be_ctx
by pbrezina 18 Dec '19

18 Dec '19

URL: https://github.com/SSSD/sssd/pull/646 Author: pbrezina Title: #646: proxy: access provider directly not through be_ctx Action: opened PR body: """ See commit message for details. Resolves: https://pagure.io/SSSD/sssd/issue/3812 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/646/head:pr646 git checkout pr646

3 12

[sssd PR#558][opened] WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache
by jhrozek 04 Nov '19

04 Nov '19

URL: https://github.com/SSSD/sssd/pull/558 Author: jhrozek Title: #558: WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache Action: opened PR body: """ This is a WIP on adding tests for the sss_nss_ex interface. I covered only the sss_nss_getgrouplist_timeout function so far. I'm submitting the PR already in this state to get some feedback if this coverage is enough and the other functions can be covered similarly or if there is some issue with this approach. Also, I found a bug in invalidating the initgroups memory cache, that's the first of the two patches. Here I'm really not sure if the fix is even how the issue should be fixed, so I just hacked something up, even without allocation checks etc. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/558/head:pr558 git checkout pr558

3 10

[sssd PR#457][opened] ipa: Removal of umask(0) in selinux_child
by amitkumar50 30 Oct '19

30 Oct '19

URL: https://github.com/SSSD/sssd/pull/457 Author: amitkumar50 Title: #457: ipa: Removal of umask(0) in selinux_child Action: opened PR body: """ Code for calling umask(0) was added to address bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1186422. Now this bugzilla is fixed, removing the workaround. Resolves: https://pagure.io/SSSD/sssd/issue/3583 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/457/head:pr457 git checkout pr457

11 27

[sssd PR#390][opened] NSS: Add option to disable memcache
by mzidek-rh 21 Oct '19

21 Oct '19

URL: https://github.com/SSSD/sssd/pull/390 Author: mzidek-rh Title: #390: NSS: Add option to disable memcache Action: opened PR body: """ Added option use_memcache to centrally disable memcache for all clients without the need to specify SSS_NSS_USE_MEMCACHE=NO environment variable. Resolves: https://pagure.io/SSSD/sssd/issue/3496 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/390/head:pr390 git checkout pr390

8 106

[sssd PR#546][opened] TESTS: Re-add tests for `kdestroy -A`
by fidencio 23 Sep '19

23 Sep '19

URL: https://github.com/SSSD/sssd/pull/546 Author: fidencio Title: #546: TESTS: Re-add tests for `kdestroy -A` Action: opened PR body: """ This reverts commit 89726be5a05493b7af312f0be9ac5ecb6f1822e1 and also do a few modifications on it in order to ensure we don't have any regression on https://pagure.io/SSSD/sssd/issue/3413 As this patch depends on a krb5 patch applied to the distros we run our internal CI on, I've opened a bug report providing patches for Fedora[0] and Debian[1]. [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1561917 [1]: https://salsa.debian.org/debian/krb5/merge_requests/1 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/546/head:pr546 git checkout pr546

4 27

[sssd PR#560][opened] NSS: close files after mmap
by ChrisKowalczyk 17 Sep '19

17 Sep '19

URL: https://github.com/SSSD/sssd/pull/560 Author: ChrisKowalczyk Title: #560: NSS: close files after mmap Action: opened PR body: """ The files in MC cache folder were initialized by SSSD on startup, and mapped by using mmap function. due to the fact that they weren't closed afterwards, their File descriptors were still marker alive but marked as 'Deleted'. This was noticed by a customer of SUSE, see more details here: https://bugzilla.suse.com/show_bug.cgi?id=1080156 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/560/head:pr560 git checkout pr560

6 12

[sssd PR#636][opened] failover: tune up default timeouts
by pbrezina 31 Jul '19

31 Jul '19

URL: https://github.com/SSSD/sssd/pull/636 Author: pbrezina Title: #636: failover: tune up default timeouts Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3217 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/636/head:pr636 git checkout pr636

3 22

[sssd PR#677][opened] pcre: port to pcre2
by thalman 03 Jul '19

03 Jul '19

URL: https://github.com/SSSD/sssd/pull/677 Author: thalman Title: #677: pcre: port to pcre2 Action: opened PR body: """ Some distributions want to drop pcre support. Sssd should work with pcre2. With this patch sssd tries to use pcre2 if pcre is not present. Resolves: https://pagure.io/SSSD/sssd/issue/3833 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/677/head:pr677 git checkout pr677

3 33

[sssd PR#541][opened] memberof: keep memberOf attribute for nested member
by pbrezina 08 Apr '19

08 Apr '19

URL: https://github.com/SSSD/sssd/pull/541 Author: pbrezina Title: #541: memberof: keep memberOf attribute for nested member Action: opened PR body: """ If we have a member that is both direct and nested member, memberOf attribute was removed if the direct membership was deleted. 1) user ----------> groupB -> groupC -> groupA / 2) user -> groupA -> groupB -> groupC If we remove user->groupB from 1), we get 2) but groupB was still removed from user memberOf attribute. Resolves: https://pagure.io/SSSD/sssd/issue/3636 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/541/head:pr541 git checkout pr541

3 16

[sssd PR#650][opened] Implement a hybrid mode of generating private groups
by jhrozek 20 Mar '19

20 Mar '19

URL: https://github.com/SSSD/sssd/pull/650 Author: jhrozek Title: #650: Implement a hybrid mode of generating private groups Action: opened PR body: """ Related: https://pagure.io/SSSD/sssd/issue/3822 Design page PR: https://pagure.io/SSSD/docs/pull-request/72 Commit mesages follow, hopefully they are enough to explain what is going on. SYSDB: Special case getgrnam and getgrgid searches in hybrid MPG mode In hybrid MPG mode, we want to return the MPG group only in case the user entry has no original GID set. To achieve this, we first search with the non-MPG filter to find 'real' groups. If that fails, we try the MPG filter, but throw away entries that has any real GID set. Related: https://pagure.io/SSSD/sssd/issue/3822 SYSDB: Refactor the mpg and non-mpg searches out of sysdb_getgrnam() and sysdb_getgrgid() to make them more reusable The getgrnam and getgrgid searches already special-case lookups with overrides where in some cases the search falls back no a non-MPG search. The upcoming special case for the hybrid mode would do something similar, just in the opposite direction, so it makes sense to split out the functions for just the MPG step and just the non-MPG step into reusable functions. Related: https://pagure.io/SSSD/sssd/issue/3822 CONFDB/NSS: Add the hybrid MPG mode Permits a new option value 'hybrid' for the auto_private_groups option. The option was even previously marked as a string option in both the configAPI and the man pages, so we don't have to change the type now. If the hybrid mode is selected and the user's original GID number is available, then during initgroups and getpwnam, it is used as their primary GID instead of the MPG group. The original group is also not added as a secondary group during initgroups in this case. Related: https://pagure.io/SSSD/sssd/issue/3822 CONFDB: Read auto_private_groups as string, not bool In preparation to adding the third value of auto_private_groups, this patch reads the confdb value as string and checks for the option values on its own. Related: https://pagure.io/SSSD/sssd/issue/3822 UTIL: Convert bool mpg to an enum mpg_mode Instead of bool mpg inside struct sss_domain_info, let's introduce enum mpg_mode that currently maps pretty much 1:1 to the boolean. In future patches, a third value will be added. Also adds a getter for the mpg_mode value because we want to discourage getting or setting the value directly. Instead, the sss_domain_info structure should be opaque in the future. Related: https://pagure.io/SSSD/sssd/issue/3822 UTIL: Add a is_domain_mpg shorthand Instead of looking into the domain structure directly, add a sss_domain_is_mpg() function. This will make sense when we add a third state instead of the boolean that will also be mpg-like. Related: https://pagure.io/SSSD/sssd/issue/3822 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/650/head:pr650 git checkout pr650

2 59

[sssd PR#644][opened] When multiple UIDs exist, use the username provided by the user as the first lookup
by joeFischetti 22 Nov '18

22 Nov '18

URL: https://github.com/SSSD/sssd/pull/644 Author: joeFischetti Title: #644: When multiple UIDs exist, use the username provided by the user as the first lookup Action: opened PR body: """ The current state of the code has no way of determining the "correct" UID to use when there are multiple values. If there are multiple values, and the RDN doesn't match, this update checks the UID's returned against the username that was provided by the user at the prompt. If that matches, it's used. If that doesn't match, it falls back to the existing code. Example: My ldap record includes multiple uid values, ["genericemployee1", "itstaff1"] I need access to machines as "itstaff1". "genericemployee1" is used as an identifier in other systems/services. If I log in with "itstaff1" at the prompt, and my ldap lookup with filter (uid=itstaff1) is successful, the array of UID's are checked against "itstaff1" and that's what *_primary is set to. With the current code, if I try to log in with "itstaff1" at the prompt, I'm actually logged into the system as "genericemployee1". Based on the order that the values are returned... some other staff are logged into their "genericemployee" or the "itstaff" accounts. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/644/head:pr644 git checkout pr644

4 17

[sssd PR#686][opened] nss: use enumeration context as talloc parent for cache req result
by pbrezina 22 Nov '18

22 Nov '18

URL: https://github.com/SSSD/sssd/pull/686 Author: pbrezina Title: #686: nss: use enumeration context as talloc parent for cache req result Action: opened PR body: """ Otherwise we end up with memory leak since the result is never freed. Resolves: https://pagure.io/SSSD/sssd/issue/3870 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/686/head:pr686 git checkout pr686

2 9

[sssd PR#680][opened] pytest: Add test case for Expired sudo rule
by mrniranjan 22 Nov '18

22 Nov '18

URL: https://github.com/SSSD/sssd/pull/680 Author: mrniranjan Title: #680: pytest: Add test case for Expired sudo rule Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/680/head:pr680 git checkout pr680

2 14

[sssd PR#685][opened] Hi,
by jhrozek 07 Nov '18

07 Nov '18

URL: https://github.com/SSSD/sssd/pull/685 Author: jhrozek Title: #685: Hi, Action: opened PR body: """ this PR allows the administrator to only restart the KCM service in order to apply changes in sssd.conf's [kcm] section. I think this would be nice for admins, but the code feels already a bit hackish to me. I think we should keep on working on the static files with the read-only configuration, because then: - we could get rid of the special case to remove the section, because the section would always be there - we could remove different cases for adding/replacing sections - ..and of course the other things like config-show or running with no config file, just snippets I also didn't enable this functionality for the other responders. I don't know if it makes sense without more testing and in general I don't think there are too many users of socket activated responders except kcm. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/685/head:pr685 git checkout pr685

2 14

[sssd PR#687][opened] sbus: allow access for sssd user
by pbrezina 05 Nov '18

05 Nov '18

URL: https://github.com/SSSD/sssd/pull/687 Author: pbrezina Title: #687: sbus: allow access for sssd user Action: opened PR body: """ D-Bus allows access for root and euid by default, however when running in non-root mode monitor continues to run as root but responsers as sssd user. Therefore monitor euid != sssd user and the connection is terminated. We must explicitly allow the connection for sssd user uid. Resolves: https://pagure.io/SSSD/sssd/issue/3871 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/687/head:pr687 git checkout pr687

2 5

[sssd PR#682][opened] DYNDNS: Drop support for legacy NSUPDATE
by thalman 05 Nov '18

05 Nov '18

URL: https://github.com/SSSD/sssd/pull/682 Author: thalman Title: #682: DYNDNS: Drop support for legacy NSUPDATE Action: opened PR body: """ We should drop support for legacy versions of NSUPDATE that doesn't support 'realm' option. The option 'realm' was added in BIND 9.8.0a1. Resolves: https://pagure.io/SSSD/sssd/issue/2817 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/682/head:pr682 git checkout pr682

2 5

[sssd PR#684][opened] ifp: fix typo causing a crash in FindByNameAndCertificate
by sumit-bose 25 Oct '18

25 Oct '18

URL: https://github.com/SSSD/sssd/pull/684 Author: sumit-bose Title: #684: ifp: fix typo causing a crash in FindByNameAndCertificate Action: opened PR body: """ Due to a typo in the recent refactoring the InfoPipe crashes in the FindByNameAndCertificate request. Additionally a state variable in set to the expected value. Related to https://pagure.io/SSSD/sssd/issue/3863 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/684/head:pr684 git checkout pr684

2 5

[sssd PR#683][opened] PYSSS: Re-add the pysss.getgrouplist() interface
by jhrozek 24 Oct '18

24 Oct '18

URL: https://github.com/SSSD/sssd/pull/683 Author: jhrozek Title: #683: PYSSS: Re-add the pysss.getgrouplist() interface Action: opened PR body: """ Related: https://pagure.io/SSSD/sssd/issue/3493 Commit 0e211b8ba30c3adcdeef21ca1339b194cbfffb04 was supposed to remove only the parts of the pysss API that relate to the local domain. But it removed also the getgrouplist() method by accident. This method is very important to IPA, so we need to add it back. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/683/head:pr683 git checkout pr683

2 5

Re: SSSD takeover org.freedesktop.Accounts
by Franz Dietrich 24 Oct '18

24 Oct '18

Ops I answered only Jakub... Here is the list included again. Am 24.10.18 um 09:04 schrieb Jakub Hrozek: >> On 24 Oct 2018, at 08:31, Franz Dietrich <dietrich(a)teilgedanken.de> wrote: >> >> Am 23.10.18 um 19:08 schrieb Jakub Hrozek: >>> On Tue, Oct 23, 2018 at 10:59:51AM +0200, Franz Dietrich wrote: >>>> Hello all, >>>> >>>> I recently discovered >>>> https://docs.pagure.org/SSSD.sssd/design_pages/accounts_service.html and >>>> I was like yeay that's exactly what I need. But then there is the "not >>>> implemented thing..." >>> Interesting, I wonder how exactly this would help you? >> I'm writing a gui tool for managing users. The tools target audience are >> teachers in schools and universities. So the tool is able to batch >> create users, assign and create groups and manage some shared folders. > Have you considered using libuser? It can already create users in LDAP. One thing I'm not getting in libuser is how do I add a user to a group with libuser... (in python) import libuser adm = libuser.admin() u = adm.LookupUserByName('user') g = adm.LookupGroupByName('wheel') #howto do that g.addUser(u)

1 0

[sssd PR#681][opened] pytest: Add test cases for configuration validation
by madhuriupadhye 23 Oct '18

23 Oct '18

URL: https://github.com/SSSD/sssd/pull/681 Author: madhuriupadhye Title: #681: pytest: Add test cases for configuration validation Action: opened PR body: """ Test cases cover configuration validation for sssd.conf, "config-check" option of the "sssctl" command to locate problems in the configuration file. Signed-off-by: Madhuri Upadhye <mupadhye(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/681/head:pr681 git checkout pr681

3 8

[sssd PR#672][opened] testlib/utils: use SSSDException and decode str to bytes.
by mrniranjan 23 Oct '18

23 Oct '18

URL: https://github.com/SSSD/sssd/pull/672 Author: mrniranjan Title: #672: testlib/utils: use SSSDException and decode str to bytes. Action: opened PR body: """ Signed-off-by: Niranjan M.R <mrniranjan(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/672/head:pr672 git checkout pr672

4 12

[sssd PR#667][opened] UTIL: rename & cleanup sysdb_error_to_errno
by thalman 23 Oct '18

23 Oct '18

URL: https://github.com/SSSD/sssd/pull/667 Author: thalman Title: #667: UTIL: rename & cleanup sysdb_error_to_errno Action: opened PR body: """ * UTIL: move and rename sysdb_error_to_errno to utils * UTIL: Use new ldb_error_to_errno function in code """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/667/head:pr667 git checkout pr667

4 26

SSSD takeover org.freedesktop.Accounts
by Franz Dietrich 23 Oct '18

23 Oct '18

Hello all, I recently discovered https://docs.pagure.org/SSSD.sssd/design_pages/accounts_service.html and I was like yeay that's exactly what I need. But then there is the "not implemented thing..." Is there any progress/preview/releaseplan worth waiting for? Or did that Project not (yet) leave the "might be a good idea" phase. All the best Franz Dietrich

2 1

[sssd PR#413][opened] mmap_cache: add SID and type to struct sss_mc_rec
by sumit-bose 16 Oct '18

16 Oct '18

URL: https://github.com/SSSD/sssd/pull/413 Author: sumit-bose Title: #413: mmap_cache: add SID and type to struct sss_mc_rec Action: opened PR body: """ This patchset updates the memory cache by adding some new members to struct sss_mc_rec. One is the addition of a hash value for SID based lookup which will be added in later patches. The other is a new record type and a member indicating the type. The new type is a link record which links an alias name, e.g. an UPN, to the original record of the related user or group object. Besides aliases this link record will be used in case in-sensitive setups. E.g. if getpwnam() returns the name of an AD users as Administrator(a)ad.domain bit some applications or users use administrator(a)ad.domain for lookups the memory cache is currently never used because there is no entry with the hash of 'administrator(a)ad.domain'. With this patch the original data record is created as before with the hash for 'Administrator(a)ad.domain' and a link record is create with the hash of 'administrator(a)ad.domain'. Now both lookups can be handled by the memory cache. If now another application uses ADMINISTRATOR(a)AD.DOMAIN for lookups the first request will go to the NSS responder but upcoming requests can use the memory cache as well because a link record for ADMINISTRATOR(a)AD.DOMAIN is created. The last patch in this series adds some additional data to the user and group lookup requests, the short name, the domain name, the short domain name and the SID. Those are needed to be able to support SID based lookups in the memory cache and allow applications to not depend on the name format returned by getpw{nam|uid}. Upcoming patches for libsss_nss_idmap will make those additional values available to applications I added them already here to keep the memory cache related changes in one PR. Application which will benefit here are the interfaces SSSD provides e.g. to Samba related applications like SSSD's version of libwbclient but also IPA plugins like extdom and slapi-nis. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/413/head:pr413 git checkout pr413

3 5

[sssd PR#678][opened] files: add session recording flag
by sumit-bose 16 Oct '18

16 Oct '18

URL: https://github.com/SSSD/sssd/pull/678 Author: sumit-bose Title: #678: files: add session recording flag Action: opened PR body: """ If session recording is configured for a group the NSS ans PAM responder rely on a attribute in the cache set by the backend to determine is session recording is configured for the user or not. This flag is typically set during the initgroups request. Since the files provider does not have a dedicated initgroups request the attribute must be set otherwise. This patch sets is for all users after the files are reloaded. Related to https://pagure.io/SSSD/sssd/issue/3855 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/678/head:pr678 git checkout pr678

2 5

[sssd PR#679][opened] UTIL: Suppress Coverity warning
by jhrozek 16 Oct '18

16 Oct '18

URL: https://github.com/SSSD/sssd/pull/679 Author: jhrozek Title: #679: UTIL: Suppress Coverity warning Action: opened PR body: """ We recently added this code: if (domain_name != NULL && is_files_provider(find_domain_by_name(dom, domain_name, false))) find_domain_by_name returns NULL if the domain_name can't be found. This of course makes mostly sense for trusted domains that can appear and disappear. And is_files_provider() didn't handle the situation where the domain pointer was NULL and would directly dereference it. This commit just adds a NULL check for the domain pointer so that is_files_provider() returns 'false' if the domain pointer was NULL. Another alternative might be to check the return value of find_domain_by_name(), but I don't think it's worth the trouble. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/679/head:pr679 git checkout pr679

2 5

[sssd PR#676][opened] sudo: sbus2 related crash
by pbrezina 15 Oct '18

15 Oct '18

URL: https://github.com/SSSD/sssd/pull/676 Author: pbrezina Title: #676: sudo: sbus2 related crash Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3854 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/676/head:pr676 git checkout pr676

2 5

[sssd PR#675][opened] p11: Fix -Wmaybe-uninitialized in p11_child_openssl.c
by jhrozek 15 Oct '18

15 Oct '18

URL: https://github.com/SSSD/sssd/pull/675 Author: jhrozek Title: #675: p11: Fix -Wmaybe-uninitialized in p11_child_openssl.c Action: opened PR body: """ If uri_str was passed to the p11_child and parsing the URI failed, then modules would be uninitialized, but freed in the done handler with p11_kit_modules_finalize_and_release() """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/675/head:pr675 git checkout pr675

2 9

[sssd PR#674][opened] p11_child: add OCSP and CRL check ot the OpenSSL version
by sumit-bose 15 Oct '18

15 Oct '18

URL: https://github.com/SSSD/sssd/pull/674 Author: sumit-bose Title: #674: p11_child: add OCSP and CRL check ot the OpenSSL version Action: opened PR body: """ Two methods to check if certificates are revoked are added. Since the two patches are only about certificate validation they can be tested by calling p11child with the --verification and --certificate option to just verify the given certificate. OCSP is used by default if there is the URL of a responder in the certificate. the CRL check must be enabled by specifying a PEM CRL file with the new crl_file sub-option. Related to https://pagure.io/SSSD/sssd/issue/3489 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/674/head:pr674 git checkout pr674

2 9

[sssd PR#670][opened] FILES: The files provider should not enumerate
by jhrozek 15 Oct '18

15 Oct '18

URL: https://github.com/SSSD/sssd/pull/670 Author: jhrozek Title: #670: FILES: The files provider should not enumerate Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3849 For reason I cannot explain now, the files provider always enumerates. There is commit a60e6ec which implements this, but it's clearly wrong, because then the plain getent passwd output contains duplicates from nss_files and nss_sss: $ getent passwd | sort adm:x:3:4:adm:/var/adm:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin bin:x:1:1:bin:/bin:/sbin/nologin bin:x:1:1:bin:/bin:/sbin/nologin certuser:x:10329:10330::/home/certuser:/bin/bash certuser:x:10329:10330::/home/certuser:/bin/bash chrony:x:997:994::/var/lib/chrony:/sbin/nologin chrony:x:997:994::/var/lib/chrony:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/670/head:pr670 git checkout pr670

2 9

[sssd PR#661][opened] TESTS: Add a test for whitespace trimming in netgroup entries
by jhrozek 15 Oct '18

15 Oct '18

URL: https://github.com/SSSD/sssd/pull/661 Author: jhrozek Title: #661: TESTS: Add a test for whitespace trimming in netgroup entries Action: opened PR body: """ This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197 To test, of course review the code, but you can also run git revert dbb1abae6eaa9df24f61e3a9f855e2461a66a197 and then make check should fail. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/661/head:pr661 git checkout pr661

2 6

[sssd PR#673][opened] PAM: return short name for files provider users
by sumit-bose 10 Oct '18

10 Oct '18

URL: https://github.com/SSSD/sssd/pull/673 Author: sumit-bose Title: #673: PAM: return short name for files provider users Action: opened PR body: """ If the 'allow_missing_name' option is used with pam_sss and the user name will be determined based on the certificate content and the mapping rules the PAM responder will by default return the fully-qualified name of the user which is then later used by other PAM modules as well. For local users which are configured to use SSSD for Smartcard authentication this might cause issues in other PAM modules because they are not aware of the fully-qualified name and will treat the user as unknown. With this patch the PAM responder will return the short name for all users handled by the files provider. Related to https://pagure.io/SSSD/sssd/issue/3848 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/673/head:pr673 git checkout pr673

2 5

[sssd PR#669][opened] test_config: Test for invalid characker in domain
by thalman 10 Oct '18

10 Oct '18

URL: https://github.com/SSSD/sssd/pull/669 Author: thalman Title: #669: test_config: Test for invalid characker in domain Action: opened PR body: """ There was bug allowing forbidden characters in config file section name. Bug has been fixed meantime but we decided to write the test to avoid regeression. Resolves: https://pagure.io/SSSD/sssd/issue/3334 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/669/head:pr669 git checkout pr669

5 9

[sssd PR#668][opened] pam_sss: add try_cert_auth and require_cert_auth options
by sumit-bose 10 Oct '18

10 Oct '18

URL: https://github.com/SSSD/sssd/pull/668 Author: sumit-bose Title: #668: pam_sss: add try_cert_auth and require_cert_auth options Action: opened PR body: """ With this new options Smartcard authentication can be checked or required for e.g. local users. Related to https://pagure.io/SSSD/sssd/issue/3650 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/668/head:pr668 git checkout pr668

2 11

[sssd PR#671][opened] PAM: use PKCS#11 URIs to restrict certificate selection
by sumit-bose 10 Oct '18

10 Oct '18

URL: https://github.com/SSSD/sssd/pull/671 Author: sumit-bose Title: #671: PAM: use PKCS#11 URIs to restrict certificate selection Action: opened PR body: """ With the new option 'p11_uri' to the PAM responder can be used to restrict the selection of certificates in p11_child with the help of a PKCS#11 URI. The implementation of for the NSS version of p11_child is not available in this PR. As you can see in the first patch the support for PKCS#11 URIs in NSS is limited and I have to talk to NSS developers first if this will change of if it would make more sense to use the PKCS#11 URI calls form libp11kit for the NSS version as well. To avoid rebase issues this PR is already on top of PR#668. Related to https://pagure.io/SSSD/sssd/issue/3814 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/671/head:pr671 git checkout pr671

2 4

[sssd PR#662][opened] doc: Add nsswitch.conf note to manpage
by thalman 08 Oct '18

08 Oct '18

URL: https://github.com/SSSD/sssd/pull/662 Author: thalman Title: #662: doc: Add nsswitch.conf note to manpage Action: opened PR body: """ We want to add note about nsswitch.conf configuration into sssd-files manpage. Resolves: https://pagure.io/SSSD/sssd/issue/3750 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/662/head:pr662 git checkout pr662

4 14

[sssd PR#665][opened] p11: handle multiple certs during auth with OpenSSL
by sumit-bose 08 Oct '18

08 Oct '18

URL: https://github.com/SSSD/sssd/pull/665 Author: sumit-bose Title: #665: p11: handle multiple certs during auth with OpenSSL Action: opened PR body: """ This patch adds missing code already available in the NSS version to select a certificate for authentication if multiple certificates are available on the Smartcard. A unit test to check this feature is added as well. Related to https://pagure.io/SSSD/sssd/issue/3489 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/665/head:pr665 git checkout pr665

2 8

[sssd PR#657][opened] be: use be_is_offline for the main domain when asking for domain status
by pbrezina 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/657 Author: pbrezina Title: #657: be: use be_is_offline for the main domain when asking for domain status Action: opened PR body: """ The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it is used only for subdomains. Resolves: https://pagure.io/SSSD/sssd/issue/3830 This is a regression in sbus2 patches. I filed a ticket [1] to make the usage of this flag consistent for all domains. I did not implement it as part of this patch because I expect some caveats there so I kept this patch simple. [1] https://pagure.io/SSSD/sssd/issue/3831 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/657/head:pr657 git checkout pr657

3 10

[sssd PR#663][opened] confdb: log an error when domain is misconfigured
by thalman 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/663 Author: thalman Title: #663: confdb: log an error when domain is misconfigured Action: opened PR body: """ We need to inform user that there is misconfiguration and particular domain will not be started. Resolves: https://pagure.io/SSSD/sssd/issue/3827 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/663/head:pr663 git checkout pr663

3 6

[sssd PR#664][opened] pep8: Ignore W504 and W605 to silence warnings on Debian
by jhrozek 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/664 Author: jhrozek Title: #664: pep8: Ignore W504 and W605 to silence warnings on Debian Action: opened PR body: """ This code: pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" + "parameters=configdir='sql:" + config.ABS_BUILDDIR + "/../test_CA/p11_nssdb' " + "dbSlotDescription='SSSD Test Slot' " + "dbTokenDescription='SSSD Test Token' " + "secmod='secmod.db' flags=readOnly)\n\n") pkcs11_txt.close() Was producing warnings such as: ./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator Even though it looks OK visually and conforms to pep8's written form. Additionaly, this regular expression compilation: Template = re.compile( ' *<template name="(\S+)">(.*?)</template>\r?\n?', re.MULTILINE | re.DOTALL ) Was producing a warning such as: ./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S' Since the \S literal is part of a regular expression, let's suppress this warning as well. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/664/head:pr664 git checkout pr664

3 8

[sssd PR#666][opened] ci: add http-parser-devel for Fedora
by sumit-bose 03 Oct '18

03 Oct '18

URL: https://github.com/SSSD/sssd/pull/666 Author: sumit-bose Title: #666: ci: add http-parser-devel for Fedora Action: opened PR body: """ After adding a new CI worker the CI run failed because http_parser.h was not found. Instead of adding http-parser-devel to the worker host directly I think it makes more sense to add it to the list of required packages at least for Fedora. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/666/head:pr666 git checkout pr666

2 4

[sssd PR#658][opened] pytest: Test case for sudo: search with lower cased name for case insensitive domains
by mrniranjan 01 Oct '18

01 Oct '18

URL: https://github.com/SSSD/sssd/pull/658 Author: mrniranjan Title: #658: pytest: Test case for sudo: search with lower cased name for case insensitive domains Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/658/head:pr658 git checkout pr658

4 26

[sssd PR#660][opened] doc: remove local provider reference from manpages
by thalman 01 Oct '18

01 Oct '18

URL: https://github.com/SSSD/sssd/pull/660 Author: thalman Title: #660: doc: remove local provider reference from manpages Action: opened PR body: """ Introduce new condition for documentation build. Related part of documentation is excluded, if build is done without local provider. Resolves https://pagure.io/SSSD/sssd/issue/3826 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/660/head:pr660 git checkout pr660

3 8

RFC: Setting ignore_group_members=true by default
by Jakub Hrozek 01 Oct '18

01 Oct '18

Hi, this proposal might be controversial, but I think a little discussion wouldn’t hurt :-) tl;dr: I propose we switch the default value of ignore_group_members from False to True by default For anyone not intimate with SSSD options, this would appear all groups to be effectivelly empty. The effect that the end user sees is that the group resolution is very fast, because only the group object, not the members have to be processed. As part of my dayjob, I’m involved in triaging RH customer cases and many of them are about performance. Ignoring the group members is quite often the first step and quite a few people are using that in production. The reason I’m proposing this is that many calls, like getgr* issued by different command line utilities (id, ls -l, …) typically only care about the GID-to-name translation. At the same time, the list of group members is both inaccurate (because we stop at a deep enough group nesting) and really not needed except for an admin to quickly see what members belong to a group. For access control, what is really used is the result of initgroups/getgroupslist. This is the call where we care about precision, because the list of groups the user is a member of can only be set during login. But getgr* returns the list of users who are members of a group and is not really required to be precise. Returning the full list of group members from getgr* by default is very time consuming and inefficient. While we did a lot of work on the SSSD side to speed things up, like using the timestamps cache and only actually save something to the database when the object changes and we have even more ideas floating around (e.g. don’t parse the whole LDAPResult at once, but use a lazy parsing and return the attributes on demand), just fetching the large group objects and traversing the group hierarchy is bound to be very expensive. Even if SSSD is smart and throws away the data it doesn’t need without a lot of processing, the directory server side will incur a heavy load when returning the group members. In an ideal world, I would prefer to follow up on a suggestion made by some Suse engineers several years ago (I’m sorry I can no longer find the link nor do I remember their names..) which was to add a getgrnam2/getgrgid2 call to libc, which would only provide the GID-to-name translation and patch popular applications in distributions to use that instead of getgrnam/gegrgid. But this is such an uphill battle that I don’t think it’s very realistic to implement. Of course, we would have to both document and make it obvious from the debug logs why are SSSD groups coming back empty, but I think the performance benefit would outweight the confusion. For some additional details and discussion, please see e.g. https://pagure.io/389-ds-base/issue/49951

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2018