URL: https://github.com/SSSD/sssd/pull/630
Title: #630: KCM/SECRETS: Use a library to access the secrets storage instead of the secrets responder, deprecate secrets responder
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/630
Title: #630: KCM/SECRETS: Use a library to access the secrets storage instead of the secrets responder, deprecate secrets responder
jhrozek commented:
"""
Thank you for the review, I hope all comments were addressed (modulo those where I asked what would you prefer to have done).
"""
See the full comment at https://github.com/SSSD/sssd/pull/630#issuecomment-412021137
URL: https://github.com/SSSD/sssd/pull/630
Title: #630: KCM/SECRETS: Use a library to access the secrets storage instead of the secrets responder, deprecate secrets responder
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/614
Author: asheplyakov
Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of bailing out
Action: opened
PR body:
"""
Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no
domain controllers in the domain D2 can be reached at the moment (and
there are no cached info). As of now initgroups won't assign any groups
at all. To improve the behavior skip the incomplete groups so initgroup
assigns at least some groups (D1\A, D1\B in the above example).
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/614/head:pr614
git checkout pr614
URL: https://github.com/SSSD/sssd/pull/626
Author: jhrozek
Title: #626: SELINUX: Also call is_selinux_enabled as a check for selinux child
Action: opened
PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3796
The SSSD selinux management routines were only checking if SELinux is
managed on the system. If it is managed, the code tries to proceed and set
the login context, otherwise an error is returned which SSSD handles
gracefully.
But this is not enough, in some cases SELinux might be disabled, but
managed and in these cases SSSD was returning strange errors, which might
have prevented login with selinux provider in effect.
We got this hint form the RH SELinux maintainer:
""" libsemanage is for managing SELinux infrastructure. generally if
there's
/etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux
module store - /etc/selinux/<SELINUXTYPE>/active (or
/var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can
manage it even when SELinux is disabled.
I'm not sure if selinux_child doesn any is_selinux_enabled() checks but it
could help to avoid such situations.
""
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/626/head:pr626
git checkout pr626