August 2020 - sssd-devel - Fedora Mailing-Lists

[sssd PR#5246][-Changes requested] Drop support of libnss as a crypto backend

by alexey-tikhonov

URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend Label: -Changes requested

3 years, 7 months

1
0
0 / 0

[sssd PR#5246][+Waiting for review] Drop support of libnss as a crypto backend

by alexey-tikhonov

URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend Label: +Waiting for review

3 years, 7 months

1
0
0 / 0

[sssd PR#5246][comment] Drop support of libnss as a crypto backend

by alexey-tikhonov

URL: https://github.com/SSSD/sssd/pull/5246 Title: #5246: Drop support of libnss as a crypto backend alexey-tikhonov commented: """ > There is just a left over call to `WITH_CRYPTO` macro on configure.ac. Since you removed the macro this should be removed as well. Thanks for the catch. Fixed. """ See the full comment at https://github.com/SSSD/sssd/pull/5246#issuecomment-678977171

3 years, 7 months

1
0
0 / 0

[sssd PR#5284][opened] Remove leftover ccache from SSH credentials delegation

by justin-stephenson

URL: https://github.com/SSSD/sssd/pull/5284 Author: justin-stephenson Title: #5284: Remove leftover ccache from SSH credentials delegation Action: opened PR body: """ This PR addresses the issue described in https://github.com/SSSD/sssd/pull/876#issuecomment-525734063 When KCM receives delegated credentials over SSH, a new ccache is initialized, filled in and switched to. If a ccache for this newly initialized principal already exists, an expired/stale ccache gets leftover in the cache. KCM will now compare this newly initialized principal against all existing ccache principals and remove any comparison match, ensuring KCM doesn't end up with a duplicate old ccache. I believe this finalizes the remaining work needed to resolve https://pagure.io/SSSD/sssd/issue/4017 (the main work being done in https://github.com/SSSD/sssd/pull/736 and https://github.com/SSSD/sssd/pull/876) but I would like to have someone confirm this. A simple reproducer case is the following: ~~~ # kinit $user # ssh -K -l $user hostname klist -A # ssh -K -l $user hostname klist -A ~~~ Without this PR each successive run of the ssh command would generate and store a new ccache in KCM on the host *hostname*, and that will be evident in the `klist -A` output. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5284/head:pr5284 git checkout pr5284

3 years, 8 months

3
13
0 / 0

[sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

by alexey-tikhonov

URL: https://github.com/SSSD/sssd/pull/5178 Title: #5178: ldap: add new option ldap_library_debug_level alexey-tikhonov commented: """ > as I said I'd prefer to use a separate option for this because in more or less all cases this debug output is not needed and -1 is very verbose. So I think `"yet another one knob only few developers will be aware of"` is completely find here because it should be only used if there are strong indications that something is wrong on the libldap level. Ok. """ See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678344292

3 years, 8 months

1
0
0 / 0

[sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules

by sumit-bose

URL: https://github.com/SSSD/sssd/pull/5241 Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules sumit-bose commented: """ > I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed. Hi, the issue happens when there is no allow rule, i.e. RemoteInteractiveLogonRight is empty. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678307489

3 years, 8 months

1
0
0 / 0

[sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

by sumit-bose

URL: https://github.com/SSSD/sssd/pull/5178 Title: #5178: ldap: add new option ldap_library_debug_level sumit-bose commented: """ Hi, as I said I'd prefer to use a separate option for this because in more or less all cases this debug output is not needed and -1 is very verbose. So I think `"yet another one knob only few developers will be aware of"` is completely find here because it should be only used if there are strong indications that something is wrong on the libldap level. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678295717

3 years, 8 months

1
0
0 / 0

[sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules

by pbrezina

URL: https://github.com/SSSD/sssd/pull/5241 Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules pbrezina commented: """ I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed. ``` (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing setting: key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500] (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500] (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [(null)] (2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No value for key [SeDenyRemoteInteractiveLogonRight] found in gpo result (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size = 1 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_sids[0] = S-1-5-21-433998187-2822908608-1404606238-500 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-433998187-2822908608-1404606238-1000 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-433998187-2822908608-1404606238-513 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY DECISION: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_granted = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_denied = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158236](Host Access Denied) ``` The patch does not change the behavior. """ See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162

3 years, 8 months

1
0
0 / 0

[sssd PR#5178][comment] ldap: add new option ldap_library_debug_level

by pbrezina

URL: https://github.com/SSSD/sssd/pull/5178 Title: #5178: ldap: add new option ldap_library_debug_level pbrezina commented: """ I just used this patch to debug something and it works as expected. The SSSD debug level is a bitmask and the idea behind it is that you can enable or disable specific messages. So we can certainly add SSSDDBG_EXTERNAL_LDAP or something and enable -1 ldap level if this is set. But I'm fine with the option as well, especially if you think that something else then -1 (enable all) is helpful. """ See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678257102

3 years, 8 months

1
0
0 / 0

[sssd PR#5234][+Changes requested] pam: use requested_domains to restrict cache_req searches

by pbrezina

URL: https://github.com/SSSD/sssd/pull/5234 Title: #5234: pam: use requested_domains to restrict cache_req searches Label: +Changes requested

3 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel August 2020