sssd-devel January 2019

sssd-devel@lists.fedorahosted.org

1 participants
53 discussions

[sssd PR#541][opened] memberof: keep memberOf attribute for nested member
by pbrezina 08 Apr '19

08 Apr '19

URL: https://github.com/SSSD/sssd/pull/541 Author: pbrezina Title: #541: memberof: keep memberOf attribute for nested member Action: opened PR body: """ If we have a member that is both direct and nested member, memberOf attribute was removed if the direct membership was deleted. 1) user ----------> groupB -> groupC -> groupA / 2) user -> groupA -> groupB -> groupC If we remove user->groupB from 1), we get 2) but groupB was still removed from user memberOf attribute. Resolves: https://pagure.io/SSSD/sssd/issue/3636 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/541/head:pr541 git checkout pr541

3 16

[sssd PR#737][opened] providers/proxy: fixed issue 3931
by alexey-tikhonov 27 Mar '19

27 Mar '19

URL: https://github.com/SSSD/sssd/pull/737 Author: alexey-tikhonov Title: #737: providers/proxy: fixed issue 3931 Action: opened PR body: """ Set of patches related with https://pagure.io/SSSD/sssd/issue/3931 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/737/head:pr737 git checkout pr737

3 5

[sssd PR#706][opened] KCM: Fall back to using the first ccache if the default does not exist
by jhrozek 27 Mar '19

27 Mar '19

URL: https://github.com/SSSD/sssd/pull/706 Author: jhrozek Title: #706: KCM: Fall back to using the first ccache if the default does not exist Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3838 KCM stores the default ccache in a separate DB entry. If the DB entry contains a UUID that cannot be found in the DB for whatever reason, we should just use the first ccache as the default. (This is what we already do if there is no default) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/706/head:pr706 git checkout pr706

2 5

[sssd PR#650][opened] Implement a hybrid mode of generating private groups
by jhrozek 20 Mar '19

20 Mar '19

URL: https://github.com/SSSD/sssd/pull/650 Author: jhrozek Title: #650: Implement a hybrid mode of generating private groups Action: opened PR body: """ Related: https://pagure.io/SSSD/sssd/issue/3822 Design page PR: https://pagure.io/SSSD/docs/pull-request/72 Commit mesages follow, hopefully they are enough to explain what is going on. SYSDB: Special case getgrnam and getgrgid searches in hybrid MPG mode In hybrid MPG mode, we want to return the MPG group only in case the user entry has no original GID set. To achieve this, we first search with the non-MPG filter to find 'real' groups. If that fails, we try the MPG filter, but throw away entries that has any real GID set. Related: https://pagure.io/SSSD/sssd/issue/3822 SYSDB: Refactor the mpg and non-mpg searches out of sysdb_getgrnam() and sysdb_getgrgid() to make them more reusable The getgrnam and getgrgid searches already special-case lookups with overrides where in some cases the search falls back no a non-MPG search. The upcoming special case for the hybrid mode would do something similar, just in the opposite direction, so it makes sense to split out the functions for just the MPG step and just the non-MPG step into reusable functions. Related: https://pagure.io/SSSD/sssd/issue/3822 CONFDB/NSS: Add the hybrid MPG mode Permits a new option value 'hybrid' for the auto_private_groups option. The option was even previously marked as a string option in both the configAPI and the man pages, so we don't have to change the type now. If the hybrid mode is selected and the user's original GID number is available, then during initgroups and getpwnam, it is used as their primary GID instead of the MPG group. The original group is also not added as a secondary group during initgroups in this case. Related: https://pagure.io/SSSD/sssd/issue/3822 CONFDB: Read auto_private_groups as string, not bool In preparation to adding the third value of auto_private_groups, this patch reads the confdb value as string and checks for the option values on its own. Related: https://pagure.io/SSSD/sssd/issue/3822 UTIL: Convert bool mpg to an enum mpg_mode Instead of bool mpg inside struct sss_domain_info, let's introduce enum mpg_mode that currently maps pretty much 1:1 to the boolean. In future patches, a third value will be added. Also adds a getter for the mpg_mode value because we want to discourage getting or setting the value directly. Instead, the sss_domain_info structure should be opaque in the future. Related: https://pagure.io/SSSD/sssd/issue/3822 UTIL: Add a is_domain_mpg shorthand Instead of looking into the domain structure directly, add a sss_domain_is_mpg() function. This will make sense when we add a third state instead of the boolean that will also be mpg-like. Related: https://pagure.io/SSSD/sssd/issue/3822 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/650/head:pr650 git checkout pr650

2 59

[sssd PR#718][opened] NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport)
by jhrozek 26 Feb '19

26 Feb '19

URL: https://github.com/SSSD/sssd/pull/718 Author: jhrozek Title: #718: NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport) Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. Reviewed-by: Michal Židek <mzidek(a)redhat.com> (cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242) """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/718/head:pr718 git checkout pr718

2 6

[sssd PR#726][opened] TESTS: Add a simple integration test for retrieving the extraAttributes property
by jhrozek 16 Feb '19

16 Feb '19

URL: https://github.com/SSSD/sssd/pull/726 Author: jhrozek Title: #726: TESTS: Add a simple integration test for retrieving the extraAttributes property Action: opened PR body: """ Related: https://pagure.io/SSSD/sssd/issue/3906 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/726/head:pr726 git checkout pr726

2 15

[sssd PR#739][opened] TESTS: Add a test for extra attributes in the output of sssctl user-checks
by jhrozek 15 Feb '19

15 Feb '19

URL: https://github.com/SSSD/sssd/pull/739 Author: jhrozek Title: #739: TESTS: Add a test for extra attributes in the output of sssctl user-checks Action: opened PR body: """ A test for: https://pagure.io/SSSD/sssd/issue/3866 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/739/head:pr739 git checkout pr739

3 7

[sssd PR#738][opened] MAN: Add sssd-files(5) to the See Also section
by jhrozek 10 Feb '19

10 Feb '19

URL: https://github.com/SSSD/sssd/pull/738 Author: jhrozek Title: #738: MAN: Add sssd-files(5) to the See Also section Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3936 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/738/head:pr738 git checkout pr738

2 5

[sssd PR#736][opened] KCM: Allow representing ccaches with a NULL principal
by jhrozek 08 Feb '19

08 Feb '19

URL: https://github.com/SSSD/sssd/pull/736 Author: jhrozek Title: #736: KCM: Allow representing ccaches with a NULL principal Action: opened PR body: """ Related: https://pagure.io/SSSD/sssd/issue/3873 We need to make it possible to create an internal ccache representation without passing in a principal. The principal is only assigned to the ccache with krb5_cc_initialize(), but some programs like openssh use the following sequence of calls: krb5_cc_new_unique krb5_cc_switch krb5_cc_initialize """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/736/head:pr736 git checkout pr736

2 11

[sssd PR#712][opened] SSSCTL: user-checks does not show custom attributes
by thalman 05 Feb '19

05 Feb '19

URL: https://github.com/SSSD/sssd/pull/712 Author: thalman Title: #712: SSSCTL: user-checks does not show custom attributes Action: opened PR body: """ "sssctl user-checks" also query the IFP interface of sssd. The problem is, that this command only displays POSIX user attrs, no matter if we configured the InfoPipe for additional user attributes. With this patch additional attributes are also printed out. Resolves: https://pagure.io/SSSD/sssd/issue/3866 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/712/head:pr712 git checkout pr712

4 12

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2019