[sssd PR#561][opened] DYNDNS: Retry also on timeouts
by jhrozek
URL: https://github.com/SSSD/sssd/pull/561
Author: jhrozek
Title: #561: DYNDNS: Retry also on timeouts
Action: opened
PR body:
"""
There is the dyndns_server option that is supposed to make it possible for
the admin to select a server to update DNS with if the server detected by
nsupdate does not work. The fallback works OK for the case where nsupdate
fails with a non-zero return code, but doesn't work for the case where
nsupdate times out.
This patch extends the retry condition to also fallback to the
dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/561/head:pr561
git checkout pr561
5 years, 11 months
[sssd PR#554][opened] Several fixes for the files provider
by jhrozek
URL: https://github.com/SSSD/sssd/pull/554
Author: jhrozek
Title: #554: Several fixes for the files provider
Action: opened
PR body:
"""
This PR contains several fixes for the files provider, mainly a performance
bug which is really embarassing - I have no idea why was the code #if-ed
out. I think I must have been experimenting with the provider update
and then forgot to remove the preprocessor macros. The rest is mostly code
cleanup and minor fixes.
btw initially I wanted to also include a fix to avoid removing cachedPassword
on updates, but I realized the current way where the files provider throws
away everything and then updates everything would force us to maintain
all the sssd-added attributes on our own. And because especially with 2FA
it might not be just cachedPassword, but also the factor length or offline
lockout counter etc, we might as well devise a better way to update the
cache than just throw away everything and recreate the entries, so I'll work
on that separately.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/554/head:pr554
git checkout pr554
5 years, 12 months
[sssd PR#511][opened] Do not shutdown KCM/Secrets responders when activities are happening ...
by fidencio
URL: https://github.com/SSSD/sssd/pull/511
Author: fidencio
Title: #511: Do not shutdown KCM/Secrets responders when activities are happening ...
Action: opened
PR body:
"""
Firstly, I'd like to make it **explicit** that this PR is **missing tests**, but I won't write them down till we have an agreement whether the proposed patches do look right/good.
Basically, while trying to reproduce https://pagure.io/SSSD/sssd/issue/3470 I've noticed that both secrets and kcm responders were going down due to the responder_idle_timeout expiring ... even with a lot of activities happening on them.
Does this approach look right? If yes, then, what would be the easiest way to test:
- A responder actually goes down after x seconds;
- Any activity on that responder will make the responder alive for more x seconds;
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/511/head:pr511
git checkout pr511
5 years, 12 months
[sssd PR#128][opened] Fix group renaming issue when "id_provider = ldap" is set
by fidencio
URL: https://github.com/SSSD/sssd/pull/128
Author: fidencio
Title: #128: Fix group renaming issue when "id_provider = ldap" is set
Action: opened
PR body:
"""
Those two patches fix https://bugzilla.redhat.com/show_bug.cgi?id=1401241
The sssd.conf used in order to reproduce this issue looks like:
```
[sssd]
config_file_version = 2
services = nss, pam
domains = ad.fidencio.lan
[nss]
[pam]
[domain/ad.fidencio.lan]
ad_domain = ad.fidencio.lan
krb5_realm = AD.FIDENCIO.LAN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
ldap_referrals = false
enumerate = false
id_provider = ldap
#id_provider = ad
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_schema = ad
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
```
The reproducer can be found in the bug report.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/128/head:pr128
git checkout pr128
6 years
[sssd PR#557][opened] nss-idmap: use right group list pointer after sss_get_ex()
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/557
Author: sumit-bose
Title: #557: nss-idmap: use right group list pointer after sss_get_ex()
Action: opened
PR body:
"""
This pull-request fixes an memory management issue which might cause crashes in
long running processes and makes sure getgrouplist() returns the expected
results if the data is read from the memory mapped cache.
Related to https://pagure.io/SSSD/sssd/issue/3715
To verify the memory management issue you can run the following short test
program with valgrind:
int main(int argc, char *argv[])
{
int ret;
const char *name;
uint32_t flags = 0;
unsigned int timeout = 10000;
gid_t groups[10];
int ngroups = 10;
int c;
if (argc == 2) {
name = (const char *) argv[1];
} else {
name = "testuser";
}
ret = sss_nss_getgrouplist_timeout(name, 112233, groups, &ngroups, flags,
timeout);
if (ret == 0) {
printf("%s: %d\n", name, ngroups);
for (c = 0; c < ngroups; c++) {
printf(" %d\n", groups[c]);
}
} else {
printf("%s: sss_nss_getgrouplist_ex %d: %s\n", name, ret,
strerror(ret));
}
return ret;
}
If the user is a member of more then 10 groups there will be a reallocation of
memory which will cause the issue and valgrind will report this. The first
tests should be run with 'SSS_NSS_USE_MEMCACHE=NO' to make sure the code path
which talks directly to SSSD's nss responder is used.
The second patch fixes an issue in the code path which read the data from the
memory mapped cached. Since an internal limit was set to the initial array size
there was no reallocation in this code path but the number of groups the user
is a member of couldn't be returned properly as well. If only the limit patch
is applied valgrind should report the memory management issue for this code
path as well.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/557/head:pr557
git checkout pr557
6 years