URL: https://github.com/SSSD/sssd/pull/175
Author: lslebodn
Title: #175: Add module for starting services
Action: opened
PR body:
"""
This is a WIP version of reducing code duplication in our cwrap integration tests.
I am still not sure whether we should also reuse function `create_sssd_fixture`.
And if yes; then probably in different nodule then `services`
And comments are welcome.
BTW I wrote patches few weeks ago; therefore new tests are not converted.
I am just sending patches to get some feedback.
Site effect of this patches is that tests are cca 20% faster (IIRC)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/175/head:pr175
git checkout pr175
URL: https://github.com/SSSD/sssd/pull/616
Author: asheplyakov
Title: #616: become_user: add supplementary groups so ad provider can access keytab
Action: opened
PR body:
"""
For security reasons one might want to run providers as a non-privileged
user (say, _sssd). However some providers (in particular ad) might need
an access to restricted (non world-readable) files (for instance,
/etc/krb5.keytab). One of the possible ways to solve the problem is to
- add a special group (for instance, _keytab)
- set the owner:group of the file in question to root:_keytab
- set the permissions of the file in question to 640
- make the _sssd user a member of the _keytab group
For this to work become_user should assign supplementary groups, which
is what this patch does.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/616/head:pr616
git checkout pr616
URL: https://github.com/SSSD/sssd/pull/269
Author: NWilson
Title: #269: Add support for ActiveDirectory's logonHours restrictions
Action: opened
PR body:
"""
This is a straightforward patch for denying access to a user when the user is not permitted to access their account due to logonHours restrictions.
This matches the default behaviour for domain-joined Windows machines. When outside the logonHours, all types of authentication are denied (password/Kerberos/certificate) - so it is appropriate to put this check inside the PAM "account" rules.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/269/head:pr269
git checkout pr269
URL: https://github.com/SSSD/sssd/pull/578
Author: amitkumar50
Title: #578: proxy: proxy_child hardening
Action: opened
PR body:
"""
proxy_child will call chdir("/"), umask(022)
and reset the environment with clearenv().
The --domain argument to be sanitized.
Resolves: https://pagure.io/SSSD/sssd/issue/2689
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/578/head:pr578
git checkout pr578
URL: https://github.com/SSSD/sssd/pull/693
Author: jhrozek
Title: #693: SYSDB: Fall back to the MPG result of getgrgid search if the non-MPG search for override doesn't match anything
Action: opened
PR body:
"""
Commit cf4f5e031ecbdfba0b55a4f69a06175a2e718e67 changed the logic of
getgrgid (and getpwnam, so far this patch only touches getgrgid) in the
sense that if looking up a GID in a MPG domain, the code checks if the GID
was overriden and if yes, it mandates that the overriden GID resolves to
a group by falling back to a non-MPG search.
This breaks the following use-case:
$ ipa idoverrideuser-add --uid=13133 --gidnumber=13133 'Default Trust View' user@domain
Most importantly, I'm on the fence about whether the current behaviour is
a bug or not. In general, I would have expected that if a primary GID is
overriden, you more or less break the MPG model, and then it's fair from
SSSD to make sure the GID number resolves to an entry. But apparently our
users were relying on the old behaviour where you can set the primary GID
with an override and then still resolve the primary group by ID to the user
entry.
So the patch in the PR is just a quick hack which sort of falls back to using
the user entry as the group if the overriden GID doesn't resolve to anything.
Should we support this use-case at all? Should we maybe limit it to
cases where the UID and GID are the same?
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/693/head:pr693
git checkout pr693
URL: https://github.com/SSSD/sssd/pull/596
Author: amitkumar50
Title: #596: [CONFDB]:[RFE] Add "enabled" option to domain section
Action: opened
PR body:
"""
Upstream Request:
Instead of enabling domains using the "domains" option in [sssd]
section we could have [domain/*] option "enabled". This would allow
admins to configure and enable domain in the same snippet file.
This Fix would be submitted in 2 patches:
Patch-1(This Patch):
- Introduces 'enabled' option in domain section
- Introduces 'CONFDB_DOMAIN_ENABLED' variable to retrieve enabled value
from confdb
- Code to call start_service() routine only for domains having enabled=1
Patch-2(Upcoming):
- Would remove 'domains' option from sssd section.
- Would remove corresponding code to parse 'domains' option
- Providing a check that atlest One domain have enabled option set.
Resolves: https://pagure.io/SSSD/sssd/issue/3735
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/596/head:pr596
git checkout pr596
URL: https://github.com/SSSD/sssd/pull/132
Author: fidencio
Title: #132: Add "Wants=" to sssd unit and avoid PAC responder to be always running
Action: opened
PR body:
"""
The first patch changes the current logic of having the services' sockets disabled by default as it adds a "Wants=" to the sssd unit file, making all the services' sockets enabled by the moment sssd service is enabled.
The second patch takes advantage of the first patch and avoids running PAC responder in case its socket is active, leaving the service to be socket-activated when needed.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/132/head:pr132
git checkout pr132
URL: https://github.com/SSSD/sssd/pull/558
Author: jhrozek
Title: #558: WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache
Action: opened
PR body:
"""
This is a WIP on adding tests for the sss_nss_ex interface. I covered only the sss_nss_getgrouplist_timeout function so far.
I'm submitting the PR already in this state to get some feedback if this
coverage is enough and the other functions can be covered similarly or
if there is some issue with this approach.
Also, I found a bug in invalidating the initgroups memory cache, that's
the first of the two patches. Here I'm really not sure if the fix is even
how the issue should be fixed, so I just hacked something up, even without
allocation checks etc.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/558/head:pr558
git checkout pr558