January 2021 - sssd-devel - Fedora Mailing-Lists

[sssd PR#616][opened] become_user: add supplementary groups so ad provider can access keytab

by asheplyakov

URL: https://github.com/SSSD/sssd/pull/616 Author: asheplyakov Title: #616: become_user: add supplementary groups so ad provider can access keytab Action: opened PR body: """ For security reasons one might want to run providers as a non-privileged user (say, _sssd). However some providers (in particular ad) might need an access to restricted (non world-readable) files (for instance, /etc/krb5.keytab). One of the possible ways to solve the problem is to - add a special group (for instance, _keytab) - set the owner:group of the file in question to root:_keytab - set the permissions of the file in question to 640 - make the _sssd user a member of the _keytab group For this to work become_user should assign supplementary groups, which is what this patch does. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/616/head:pr616 git checkout pr616

3 years, 2 months

5
13
0 / 0

[sssd PR#5463][opened] Add rsassapss cert for future checks

by peptekmail

URL: https://github.com/SSSD/sssd/pull/5463 Author: peptekmail Title: #5463: Add rsassapss cert for future checks Action: opened PR body: """ 3rd party smartcard providers sometimes use rsassapss for signing combined with a smaller nonstandard exponent. Unexpected characters in the commonname field creates troubles. Add more unexpected settings to this cert to easily create future checks. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5463/head:pr5463 git checkout pr5463

3 years, 2 months

4
18
0 / 0

[sssd PR#5251][opened] [wip] subdomains: allow to inherit case_sensitive=Preserving

by pbrezina

URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving Action: opened PR body: """ The first patch is just man page update to reflect current state. I think it makes sense to be able to show subdomain names in their original casing. Patches 2-3 make it work for AD provider. Patch 4 makes it work for IPA provider. There is apparantely a bug in winbind, but there is no link the any bugzilla so I do not know if it was already fixed. The commit is four years old. This patch requires case_sensitive=Preserving to be set also on the server, otherwise it does not work. It can be enabled without the server setting but we need to make nss_cmd_getpwnam_ex (and other _ex commands) to always return case preserving name. So before I continue the work I'd like to ask @sumit-bose if we can do it like this. Resolves: https://github.com/SSSD/sssd/issues/5250 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251

3 years, 2 months

3
28
0 / 0

[sssd PR#5476][opened] sudo runas: do not add '%' to external groups in IPA

by abbra

URL: https://github.com/SSSD/sssd/pull/5476 Author: abbra Title: #5476: sudo runas: do not add '%' to external groups in IPA Action: opened PR body: """ When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'. Fixes: https://github.com/SSSD/sssd/issues/5475 Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5476/head:pr5476 git checkout pr5476

3 years, 2 months

3
10
0 / 0

[sssd PR#5470][opened] pam: refresh certificate maps at the end of initial domains lookup

by sumit-bose

URL: https://github.com/SSSD/sssd/pull/5470 Author: sumit-bose Title: #5470: pam: refresh certificate maps at the end of initial domains lookup Action: opened PR body: """ During startup SSSD's responders send a getDomains request to all backends to refresh some domain related needed by the responders. The PAM responder specifically needs the certificate mapping and matching rules when Smartcard authentication is enable. Currently the rules are not refreshed at the end of the initial request but the code assumed that the related structures are initialized after the request finished. To avoid a race condition this patch adds a callback to the end of the request to make sure the rules are properly refreshed even if they are already initialized before. Resolves: https://github.com/SSSD/sssd/issues/5469 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5470/head:pr5470 git checkout pr5470

3 years, 2 months

4
11
0 / 0

[sssd PR#5472][opened] man: sss_override clarification

by DeepakDas7

URL: https://github.com/SSSD/sssd/pull/5472 Author: DeepakDas7 Title: #5472: man: sss_override clarification Action: opened PR body: """ Clarify sss_override in man pages to indicate that the option is only supported in LDAP and AD provider. Resolves: https://github.com/SSSD/sssd/issues/5471 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5472/head:pr5472 git checkout pr5472

3 years, 2 months

5
20
0 / 0

userCertificate in integration tests.

by Per-Erik Persson

Looking thru the testcode and older entries in the mailinglist there seems to be no easy way to push a certificate for a testuser via the LDAP connection with Python. Using the openldap client is the only option I can think of. Are there any better ideas out there?

3 years, 2 months

2
3
0 / 0

[sssd PR#5461][opened] Tests:ad:sudo: support non-posix groups in sudo rules

by shridhargadekar

URL: https://github.com/SSSD/sssd/pull/5461 Author: shridhargadekar Title: #5461: Tests:ad:sudo: support non-posix groups in sudo rules Action: opened PR body: """ support non-posix groups in sudo rules. Verifies: Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1722842 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5461/head:pr5461 git checkout pr5461

3 years, 2 months

3
17
0 / 0

[sssd PR#5464][opened] BUILD: Accept krb5 1.19 for building the PAC plugin

by sumit-bose

URL: https://github.com/SSSD/sssd/pull/5464 Author: sumit-bose Title: #5464: BUILD: Accept krb5 1.19 for building the PAC plugin Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5464/head:pr5464 git checkout pr5464

3 years, 2 months

4
16
0 / 0

[sssd PR#5467][opened] SBUS: set sbus_name before dp_init_send()

by alexey-tikhonov

URL: https://github.com/SSSD/sssd/pull/5467 Author: alexey-tikhonov Title: #5467: SBUS: set sbus_name before dp_init_send() Action: opened PR body: """ Some async task might access sbus_name before dp_initialized() was executed Resolves: https://github.com/SSSD/sssd/issues/5466 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5467/head:pr5467 git checkout pr5467

3 years, 2 months

2
10
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel January 2021