July 2018 - sssd-devel - Fedora Mailing-Lists

[sssd PR#625][opened] Revert "CRYPTO: Suppress warning Wstringop-truncation"

by mzidek-rh

URL: https://github.com/SSSD/sssd/pull/625 Author: mzidek-rh Title: #625: Revert "CRYPTO: Suppress warning Wstringop-truncation" Action: opened PR body: """ This reverts commit 2951a9a84bd85f384213a3e071ffc167907df2d7. The original use stpncpy was correct. Changing it to memcpy changed the resulting hash. This resulted in users from local domain to not be able to authenticate (offline authentication was also probably broken) if their hash was created before this change. https://pagure.io/SSSD/sssd/issue/3791 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/625/head:pr625 git checkout pr625

5 years, 8 months

2
5
0 / 0

[sssd PR#622][opened] MC: Remove check if record is in the mapped address space

by jhrozek

URL: https://github.com/SSSD/sssd/pull/622 Author: jhrozek Title: #622: MC: Remove check if record is in the mapped address space Action: opened PR body: """ There is a check in the memory cache code that checks if a record pointer points to the mmapped region . But since some time ago, we return not a pointer to the mmapped region itself, but a copy to avoid issues with invalidating an entry while the same entry is being returned. In most cases, the check is correct, simply because of how memory is laid out on Linux, but in some cases the check was failing and causing a high load of SSSD. Signed-off-by: Jakub Hrozek <jhrozek(a)redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3776 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/622/head:pr622 git checkout pr622

5 years, 8 months

2
6
0 / 0

[sssd PR#568][opened] Strip whitespaces in netgroup triple.

by malyzelenyhnus

URL: https://github.com/SSSD/sssd/pull/568 Author: malyzelenyhnus Title: #568: Strip whitespaces in netgroup triple. Action: opened PR body: """ Strip leading and trailing whitespaces from netgroup three-tuple strings to be compatible with nss_ldap. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/568/head:pr568 git checkout pr568

5 years, 8 months

4
17
0 / 0

[sssd PR#619][opened] Desktop Profile: The 10th policy is producing a wrong file name

by fidencio

URL: https://github.com/SSSD/sssd/pull/619 Author: fidencio Title: #619: Desktop Profile: The 10th policy is producing a wrong file name Action: opened PR body: """ Please, see the attached patches. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/619/head:pr619 git checkout pr619

5 years, 8 months

2
6
0 / 0

[sssd PR#623][opened] RESP: Terminate client connection if the permissions check on the priv pipe fails

by jhrozek

URL: https://github.com/SSSD/sssd/pull/623 Author: jhrozek Title: #623: RESP: Terminate client connection if the permissions check on the priv pipe fails Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3777 The responder code just returned in case the permissions check failed. But at least with the sudo responder, this just caused an endless loop. If the permission check fails, it's best to just abort the client. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/623/head:pr623 git checkout pr623

5 years, 8 months

2
5
0 / 0

[sssd PR#621][opened] sdap: respect passwordGracelimit

by fidencio

URL: https://github.com/SSSD/sssd/pull/621 Author: fidencio Title: #621: sdap: respect passwordGracelimit Action: opened PR body: """ Since recent changes in 389-ds two response controls are end when passwordGracelimit is set and about to expire: - [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself - [2.16.840.1.113730.3.4.4] for the PasswordExpired Whenever the former is returned and the GraceLimit is still valid, we shouldn't report the latter to the users. Resolves: https://pagure.io/SSSD/sssd/issue/3597 Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/621/head:pr621 git checkout pr621

5 years, 8 months

2
7
0 / 0

[sssd PR#591][opened] Remove spaces after comment delimiters in the example config file

by amitkumar50

URL: https://github.com/SSSD/sssd/pull/591 Author: amitkumar50 Title: #591: Remove spaces after comment delimiters in the example config file Action: opened PR body: """ If sssd.conf file contains configuration directives preceded with whitespace characters sss_obfuscate generates traceback. How Fix is tested? # vim /usr/lib/python2.7/site-packages/SSSDConfig/ipachangeconf.py Updated: r'(?P<option>[^:=\s][^:=]*)' to: r'\s*(?P<option>[^:=\s][^:=]*)' # /usr/local/sbin/sss_obfuscate --domain gsslab.pnq.redhat.com Enter password: Re-enter password: <<<<<<<<<No traceback seen>>>>>>>>>> Resolves: https://pagure.io/SSSD/sssd/issue/1391 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/591/head:pr591 git checkout pr591

5 years, 9 months

5
12
0 / 0

[sssd PR#522][opened] Prepare SSSD to support IPA in trust to Samba AD

by abbra

URL: https://github.com/SSSD/sssd/pull/522 Author: abbra Title: #522: Prepare SSSD to support IPA in trust to Samba AD Action: opened PR body: """ This pull request prepares SSSD ipa provider to support IPA in trust to Samba AD but the same changes are needed for a properly working bi-directional trust against Microsoft AD as well. To make everything fully working, one needs patches against FreeIPA too but SSSD changes are isolated. @sumit-bose @jhrozek please review. 1. When IPA establishes a trust to an Active Directory forest, a number of special objects is created in a subtree of `cn=trusts,$SUFFIX`. These objects represent Kerberos principals for trusted domain objects (TDOs) used for both incoming and outgoing trusts. For bi-directional trust there is a requirement that one of them (`<REMOTE FLAT NAME>$@<OUR REALM>`) must have a POSIX identity because a remote domain controller will use it to authenticate against smbd running on IPA master. SSSD only looks for user accounts in `cn=accounts,$SUFFIX`, so an attempt by smbd to resolve this principal name as a POSIX user via `getpwnam()` will fail. And the reason why smbd behaves this way is due to the fact that a Kerberos ticket used for authentication contains no MS-PAC record, thus not allowing Samba to build a local security token it needs. This is expected for the authentication using TDO account as it is used for bootstrapping reasons (AD DC couldn't create and sign MS-PAC record for an account in IPA realm) but the side effect is that TDO object must be known as a POSIX account on IPA master. Thus, we extend user search base in IPA provider to search in both `cn=accounts,$SUFFIX` and `cn=trusts,$SUFFIX`. Changes on FreeIPA side will handle access controls and generation of the POSIX information for the TDO accounts. 2. For long time we relied on using cross-realm TGTs to talk to Active Directory domain controllers (LDAP and GC services) in case of bi-directional trust. Unfortunately, this is not something we can continue using as there are multiple reasons such access can be denied by a trusted AD side, including SID filtering and other security measurements. It also happens that right now Samba AD in Fedora has a bug in handling a cross-realm TGT generated by the FreeIPA KDC. As result, while technically IPA could establish a bi-directional trust to Samba AD, it does not work as any SSSD attempt to connect to AD DCs via LDAP with GSSAPI will fail (Samba AD DC answers error with PROCESS_TGS message on Kerberos level and authentication fails). For this reason, we should remove any distinction when using bi-directional trust and simply always use a special keytab with a TDO object as we do in uni-directional trust case. While a more generic Kerberos authentication will not work in the outbound direction, SSSD will be able to resolve users/groups. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/522/head:pr522 git checkout pr522

5 years, 9 months

4
17
0 / 0

[sssd PR#617][opened] deskprofile: don't bail if we fail to save one profile

by fidencio

URL: https://github.com/SSSD/sssd/pull/617 Author: fidencio Title: #617: deskprofile: don't bail if we fail to save one profile Action: opened PR body: """ Due to different reasons (a bug on fleet-commander, for instance?) we may face the situation where one profile ends up stored in freeipa on a half-broken state (with no data, for instance). In case it happens, we should try our best to save the not broken profiles and just skip the broken ones instead of bailing the operation. Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/617/head:pr617 git checkout pr617

5 years, 9 months

2
7
0 / 0

[sssd PR#615][opened] SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries

by jhrozek

URL: https://github.com/SSSD/sssd/pull/615 Author: jhrozek Title: #615: SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries Action: opened PR body: """ If SSSD is searching for a user using a name-based filtrer in an environment that uses nested OUs or sub domains, it is expected the search can return two or more entries. The correct entry is then matched using the domain name. But the error message was confusing admins, because it simply said "Expected one entry, found %d". This patch softens this error message and rewords the message in case the matching fails. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/615/head:pr615 git checkout pr615

5 years, 9 months

2
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel July 2018