November 2021 - sssd-devel - Fedora Mailing-Lists

[sssd PR#5881][opened] SDAP: Do not fail ASQ search when parsing a referenced entry fails

by scabrero

URL: https://github.com/SSSD/sssd/pull/5881 Author: scabrero Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails Action: opened PR body: """ In an attribute scoped query it may happen sssd doen't have permissions to read the attribute referenced entry, for example when it is located under a restricted LDAP sub-tree for security reasons. In this scenario sssd fails to resolve the group because the referenced entry can't be parsed and this can lead to missing groups and breaks using the group in simple access provider. This patch changes the ASQ entry parser to do not return an error when it is not possible to parse an entry. The issue can be replicated deploying this AD setup: CN=users,DC=aforest,DC=ad CN=g1,CN=users,DC=aforest,DC=ad member: CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user1,CN=users,DC=aforest,DC=ad CN=g2,CN=users,DC=aforest,DC=ad member: CN=g3,CN=users,DC=aforest,DC=ad member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account member: CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g4,CN=users,DC=aforest,DC=ad member: CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=g5,CN=users,DC=aforest,DC=ad member: CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user1,CN=users,DC=aforest,DC=ad memberOf: CN=g1,CN=users,DC=aforest,DC=ad CN=user2,CN=users,DC=aforest,DC=ad memberOf: CN=g2,CN=users,DC=aforest,DC=ad CN=user3,CN=users,DC=aforest,DC=ad memberOf: CN=g3,CN=users,DC=aforest,DC=ad CN=user4,CN=users,DC=aforest,DC=ad memberOf: CN=g4,CN=users,DC=aforest,DC=ad CN=user5,CN=users,DC=aforest,DC=ad memberOf: CN=g5,CN=users,DC=aforest,DC=ad And using this sssd.conf ------------------------------------------------------------------------------- [sssd] config_file_version = 2 services = nss, pam domains = aforest.ad [nss] [pam] [domain/aforest.ad] auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = g1 ldap_deref_threshold = 1 debug_level = 10 ------------------------------------------------------------------------------- In this setup sssd can't resolve group 'g1' because it fails parsing one of the referenced members, 'g3': $> getent group g1 No output. $> id user5 uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,1862001109(s-1-5-21-3230380732-2157500517-2047582823-1109),1862001113(g5),1862001110(s-1-5-21-3230380732-2157500517-2047582823-1110),1862001112(g4) When the group is used to filter access it does not work: ... [simple_access_check_send] (0x0200): [RID#7] Simple access check for user1(a)aforest.ad ... [simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230380732-2157500517-2047582823-1109)(objectClass=group)(sAMAccountName=*))][DC=aforest,DC=ad]. ... [sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into hash table [groups] [sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,DC=ad] ... [sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold [sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=aforest,DC=ad] [sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=aforest,DC=ad] [sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ [sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using ASQ ... [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,DC=aforest,DC=ad]. ... [sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY] [sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3,CN=Users,DC=aforest,DC=ad]! [sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed. [sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3 [generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid argument [sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument [sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Invalid argument [sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument] ... [simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed ... [simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done. [simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1(a)aforest.ad [simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue. [simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1(a)aforest.ad]. [simple_access_check_done] (0x2000): [RID#9] Group check done [simple_access_check_recv] (0x1000): [RID#9] Access not granted ... Resolves: https://github.com/SSSD/sssd/issues/4893 Signed-off-by: Samuel Cabrero <scabrero(a)suse.de> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5881/head:pr5881 git checkout pr5881

1 year, 10 months

5
23
0 / 0

[sssd PR#5674][opened] [WIP] This is just a test

by ikerexxe

URL: https://github.com/SSSD/sssd/pull/5674 Author: ikerexxe Title: #5674: [WIP] This is just a test Action: opened PR body: """ This is just a test for Deepak's latest PR, which fails in CI. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5674/head:pr5674 git checkout pr5674

1 year, 10 months

2
4
0 / 0

[sssd PR#5830][opened] Tests: Port the old ns_account_lock.sh script to pytest

by aborah-sudo

URL: https://github.com/SSSD/sssd/pull/5830 Author: aborah-sudo Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest Action: opened PR body: """ Port the old ns_account_lock.sh script to pytest """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5830/head:pr5830 git checkout pr5830

1 year, 11 months

3
9
0 / 0

[sssd PR#5786][opened] Tests: [SSSD-3579]: Skip test test_0018_bz1734040.

by jakub-vavra-cz

URL: https://github.com/SSSD/sssd/pull/5786 Author: jakub-vavra-cz Title: #5786: Tests: [SSSD-3579]: Skip test test_0018_bz1734040. Action: opened PR body: """ The test does not work even with fixes for RHEL-9, skipping for now so it is not blocking RHEL-9 gating, until proper fix is found. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5786/head:pr5786 git checkout pr5786

1 year, 11 months

2
13
0 / 0

[sssd PR#5863][opened] Responder and Child process tevent chain id improvements

by justin-stephenson

URL: https://github.com/SSSD/sssd/pull/5863 Author: justin-stephenson Title: #5863: Responder and Child process tevent chain id improvements Action: opened PR body: """ This PR adds the following tevent chain ID functionality: * Add tevent chain ID logic into responders (log messages with tag [CID #]) * Add ability to parse child log files by passing the backend request ID into child processes and setting the chain ID inside the child. sss_chain_id getter/setter functions moved into their own source file (remove dependency to tevent), and some small changes to analyzer are needed. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5863/head:pr5863 git checkout pr5863

1 year, 11 months

5
86
0 / 0

[sssd PR#5869][opened] Translations update from Weblate

by weblate

URL: https://github.com/SSSD/sssd/pull/5869 Author: weblate Title: #5869: Translations update from Weblate Action: opened PR body: """ Translations update from [Weblate](https://translate.fedoraproject.org/projects/sssd/sssd-master/) for SSSD/sssd. Current translation status: ![Weblate translation status](https://translate.fedoraproject.org/widgets/sssd/-/sssd-master/ho... """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5869/head:pr5869 git checkout pr5869

1 year, 11 months

2
14
0 / 0

[sssd PR#5845][opened] sss-analyze: Fix self imports

by stanislavlevin

URL: https://github.com/SSSD/sssd/pull/5845 Author: stanislavlevin Title: #5845: sss-analyze: Fix self imports Action: opened PR body: """ - fixed self imports to allow any other Python stuff use `sssd` Python package - `sssd` Python package tranformed from namespace to regular one - moved the executable out to sbin directory to split the library and actual executable (sbin because of only root can read sssd logs) Resolves: https://github.com/SSSD/sssd/issues/5842 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5845/head:pr5845 git checkout pr5845

1 year, 11 months

5
60
0 / 0

[sssd PR#5894][opened] contrib: sssd krb5 configuration snippet

by ikerexxe

URL: https://github.com/SSSD/sssd/pull/5894 Author: ikerexxe Title: #5894: contrib: sssd krb5 configuration snippet Action: opened PR body: """ Add a configuration snippet for krb5 that points to the folder where the sssd configuration for this service is located. Resolves: https://github.com/SSSD/sssd/issues/5893 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5894/head:pr5894 git checkout pr5894

1 year, 12 months

4
18
0 / 0

[sssd PR#5867][opened] usertools: force local user for sssd process user

by ikerexxe

URL: https://github.com/SSSD/sssd/pull/5867 Author: ikerexxe Title: #5867: usertools: force local user for sssd process user Action: opened PR body: """ System hardening by forcing the sssd user to be loaded from a local database (/etc/passwd) instead of using any remote user. This could happen in very special conditions and might change the owner of the sssd databases and generate a denial of service. Moreover, clarify user option in sssd.conf, as it accepts both the user name and the id as input. The only constraint is that the user should be present in the local database (/etc/passwd). """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5867/head:pr5867 git checkout pr5867

1 year, 12 months

3
45
0 / 0

[sssd PR#5835][opened] Tests: Add test for bz1636002.

by jakub-vavra-cz

URL: https://github.com/SSSD/sssd/pull/5835 Author: jakub-vavra-cz Title: #5835: Tests: Add test for bz1636002. Action: opened PR body: """ Verifies: SSSD-3347 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1636002 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5835/head:pr5835 git checkout pr5835

2 years

3
30
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel November 2021