sssd-devel December 2018

sssd-devel@lists.fedorahosted.org

1 participants
41 discussions

[sssd PR#710][opened] data_provider_fo: fix error in hostname retrieval
by alexey-tikhonov 13 Dec '18

13 Dec '18

URL: https://github.com/SSSD/sssd/pull/710 Author: alexey-tikhonov Title: #710: data_provider_fo: fix error in hostname retrieval Action: opened PR body: """ Fixed off-by-one error in gethostname() param Resolves: https://pagure.io/SSSD/sssd/issue/3865 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/710/head:pr710 git checkout pr710

3 9

[sssd PR#702][opened] NSS: Avoid changing the memory cache ownership away from the SSSD user
by jhrozek 13 Dec '18

13 Dec '18

URL: https://github.com/SSSD/sssd/pull/702 Author: jhrozek Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/702/head:pr702 git checkout pr702

2 10

[sssd PR#713][opened] krb5_child: fix permissions during SC auth
by sumit-bose 13 Dec '18

13 Dec '18

URL: https://github.com/SSSD/sssd/pull/713 Author: sumit-bose Title: #713: krb5_child: fix permissions during SC auth Action: opened PR body: """ For PKINIT we might need access to the pcscd socket which by default is only allowed for authenticated users. Since PKINIT is part of the authentication and the user is not authenticated yet, we have to use different privileges and can only drop it only after the TGT is received. The fast_uid and fast_gid are the IDs the backend is running with. This can be either root or the 'sssd' user. Root is allowed by default and the 'sssd' user is allowed with the help of the sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We can only call switch_creds() because after the TGT is returned we have to switch to the IDs of the user to store the TGT. The final change to the IDs of the user is not only important for KCM type credential caches but for file based ccache types like FILE or DIR as well. Related to https://pagure.io/SSSD/sssd/issue/3376 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/713/head:pr713 git checkout pr713

2 12

[sssd PR#714][opened] p11_child(openssl): do not free static memory
by sumit-bose 13 Dec '18

13 Dec '18

URL: https://github.com/SSSD/sssd/pull/714 Author: sumit-bose Title: #714: p11_child(openssl): do not free static memory Action: opened PR body: """ Coverity found a code path where we try to free a static array, this patch removes it. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/714/head:pr714 git checkout pr714

3 8

[sssd PR#711][opened] ipa: use only the global catalog service of the forest root
by sumit-bose 11 Dec '18

11 Dec '18

URL: https://github.com/SSSD/sssd/pull/711 Author: sumit-bose Title: #711: ipa: use only the global catalog service of the forest root Action: opened PR body: """ While creating the domains and sub-domains each domain gets a global catalog services assigned but only one should be used because the global catalog is by definition responsible for the whole forest so it does not make sense to use a global catalog service for each domain and in the worst case connect to the same GC multiple times. In the AD provider this is simple because the GC service of the configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA case all domains from the trusted forest are on the level of sub-domains so we have to pick one. Since the forest root is linked from all domain of the same forest it will be the most straight forward choice. This would also be the proper fix for https://pagure.io/SSSD/sssd/issue/3015 so the original fix for this ticket is reverted because it would cause other issues. Related to https://pagure.io/SSSD/sssd/issue/3902 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/711/head:pr711 git checkout pr711

2 6

[sssd PR#696][opened] DYNDNS: SSSD does not batch DDNS update requests
by thalman 10 Dec '18

10 Dec '18

URL: https://github.com/SSSD/sssd/pull/696 Author: thalman Title: #696: DYNDNS: SSSD does not batch DDNS update requests Action: opened PR body: """ SSSD includes a 'send' command in between each record modification and does not batch DDNS update requests. This is problematic in complex AD environments because those requests may not be processed by the same server. Now zone update is done in two steps - one per protocol family. If dyndns_update_per_family is set to false, update is performed in single step. Resolves: https://pagure.io/SSSD/sssd/issue/3829 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/696/head:pr696 git checkout pr696

3 12

[sssd PR#707][opened] build: remove hardcoded samba include path
by gmccollister 10 Dec '18

10 Dec '18

URL: https://github.com/SSSD/sssd/pull/707 Author: gmccollister Title: #707: build: remove hardcoded samba include path Action: opened PR body: """ SMBCLIENT_FLAGS already provides the samba-4.0 include path. Remove the hardcoded samba include path which causes cross-compilation warnings such as: cc1: warning: include location "/usr/include/samba-4.0" is unsafe for cross-compilation [-Wpoison-system-directories] These warnings are treated as errors on build systems such as OpenEmbedded. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/707/head:pr707 git checkout pr707

3 8

[sssd PR#704][opened] PROXY: Copy the response to the caller
by jhrozek 05 Dec '18

05 Dec '18

URL: https://github.com/SSSD/sssd/pull/704 Author: jhrozek Title: #704: PROXY: Copy the response to the caller Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3892 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/704/head:pr704 git checkout pr704

2 5

[sssd PR#701][opened] ci: add ability to run tests in jenkins
by pbrezina 05 Dec '18

05 Dec '18

URL: https://github.com/SSSD/sssd/pull/701 Author: pbrezina Title: #701: ci: add ability to run tests in jenkins Action: opened PR body: """ Jenkins master polls github for new branches and pull requests. When it discovers new pull request or branch or changes to existing pull request or branch it will allocate a jenkins agent and executes pipeline defined in `./Jenkinsfile` (in SSSD source) on this agent. The pipeline executes `./contrib/test-suite/run.sh` and archives logs when testing is finished. Script `./contrib/test-suite/run.sh` prepares sssd-test-suite, starts the vagrant machines and copy SSSD source code to the client machine. Then it calls `./contrib/test-suite/run-client.sh` on the client machine which runs continuous integration tests. ### Extending current tests To extend current testing capabilities, modify `./contrib/test-suite/run.sh` and `./contrib/test-suite/run-client.sh` to new requirements. These files can be modified by anyone but are considered untrusted from contributor that is not an administrator of SSSD repository. This means that if a public contributor submits a pull request that changes those files, Jenkins will refuse to run tests. ### Adding additional distribution to test on You need to modify `./Jenkinsfile`. Simply copy, paste and amend existing Fedora 28 stage. This file is also considered untrusted so only administrators can modify it within a pull request. You also need to extend `sssd-test-suite` and prepare vagrant boxes for this distro. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/701/head:pr701 git checkout pr701

2 11

[sssd PR#695][opened] sss_iface: prevent from using invalid names that start with digits
by pbrezina 05 Dec '18

05 Dec '18

URL: https://github.com/SSSD/sssd/pull/695 Author: pbrezina Title: #695: sss_iface: prevent from using invalid names that start with digits Action: opened PR body: """ From: https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-n… - Bus names that start with a colon (':') character are unique connection names. Other bus names are called well-known bus names. - Bus names are composed of 1 or more elements separated by a period ('.') character. All elements must contain at least one character. - Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_-", with "-" discouraged in new bus names. Only elements that are part of a unique connection name may begin with a digit, elements in other bus names must not begin with a digit. - Bus names must contain at least one '.' (period) character (and thus at least two elements). - Bus names must not begin with a '.' (period) character. - Bus names must not exceed the maximum name length (255). Resolves: https://pagure.io/SSSD/sssd/issue/3872 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/695/head:pr695 git checkout pr695

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel December 2018