sssd-devel March 2021

sssd-devel@lists.fedorahosted.org

6 participants
48 discussions

[sssd PR#5539][opened] [WIP] NSS: Clear negative cache when SIGHUP received
by elkoniu 13 Apr '21

13 Apr '21

URL: https://github.com/SSSD/sssd/pull/5539 Author: elkoniu Title: #5539: [WIP] NSS: Clear negative cache when SIGHUP received Action: opened PR body: """ When NSS receives SIGHUP signal it clears memory cache. As a part of signal handling procedure negative cache should be also cleared. Resolves: https://github.com/SSSD/sssd/issues/4973 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5539/head:pr5539 git checkout pr5539

3 44

[sssd PR#5537][opened] negcache: use right domain in nss_protocol_fill_initgr()
by sumit-bose 13 Apr '21

13 Apr '21

URL: https://github.com/SSSD/sssd/pull/5537 Author: sumit-bose Title: #5537: negcache: use right domain in nss_protocol_fill_initgr() Action: opened PR body: """ When checking if a group returned by an initgroups request is filtered in the negative cache the domain of the user was used. This does not work reliable if the user can be a member of groups from multiple domains. With this patch th domain the group belongs to is determined and used while checking the negative cache. Resolves: https://github.com/SSSD/sssd/issues/5534 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5537/head:pr5537 git checkout pr5537

3 25

[sssd PR#5560][opened] pam_sss: fixed potential mem leak
by alexey-tikhonov 13 Apr '21

13 Apr '21

URL: https://github.com/SSSD/sssd/pull/5560 Author: alexey-tikhonov Title: #5560: pam_sss: fixed potential mem leak Action: opened PR body: """ Fixes following covscan issue: ``` Error: RESOURCE_LEAK (CWE-772): [#def1] src/sss_client/pam_sss.c:1714: alloc_arg: "asprintf" allocates memory that is stored into "prompt". src/sss_client/pam_sss.c:1765: leaked_storage: Variable "prompt" going out of scope leaks the storage it points to. # 1763| free(response); # 1764| # 1765|-> return ret; # 1766| #else # 1767| return ENOTSUP; ``` https://bugzilla.redhat.com/show_bug.cgi?id=1938876 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5560/head:pr5560 git checkout pr5560

2 11

[sssd PR#5562][opened] AD GPO: respect ad_gpo_implicit_deny if no GPO is present
by sumit-bose 13 Apr '21

13 Apr '21

URL: https://github.com/SSSD/sssd/pull/5562 Author: sumit-bose Title: #5562: AD GPO: respect ad_gpo_implicit_deny if no GPO is present Action: opened PR body: """ Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at all for the given client. With this patch this case is handled as expected as well. Resolves: https://github.com/SSSD/sssd/issues/5561 :fixes: respect ad_gpo_implicit_deny if no GPO is present """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5562/head:pr5562 git checkout pr5562

3 12

[sssd PR#5558][opened] p11_child: Add partial verification support
by 3v1n0 12 Apr '21

12 Apr '21

URL: https://github.com/SSSD/sssd/pull/5558 Author: 3v1n0 Title: #5558: p11_child: Add partial verification support Action: opened PR body: """ From the main commit: <blockquote> As per the switch to libcrypto by default, the CA certificates DB needs to contain the whole certificates key-chain in order to verify a leaf certificate. This means that if an intermediate CA authority signed a leaf certificate the CA DB we provide to SSSD needs to contain the whole key-chain, up to the root CA cert in order to verify the leaf one. Now, while this is indeed more secure, it may break previous configurations that were based on an NSS database that contained only trusted intermediate CA certificates. To allow such setups to continue working (once the NSS db is migrated) we need to permit a "weaker" setup where an x509 certificate is verified when the CA database we test against contains only the intermediate CA certificate that was used to sign it. As per this, support `partial_chain` value to be used as `certification_verification` parameter that will add the `X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the openssl's verify `-partial-chain` parameter works. This setup can still be considered secure as it's still needed to have configured the SSSD ca db to contain the trusted certs. Add tests to check that we can verify a leaf certificate against its parent (only) when using such option. </blockquote> In particular in Ubuntu we [switched to use libcrypto by default in our current LTS](https://bugs.launchpad.net/ubuntu/focal/+source/sssd/+bug/1905790), even if we never supported properly the usage of NSS system DB, it was possible to setup one and so we did a [simple migration tool](https://github.com/3v1n0/nss-database-pem-exporter) to export all the trusted NSS certificates to the SSSD's `ca_db`. However, there are still some custom setups in which [may break when using openssl based implementation](https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563), because their NSS db was only containing the issuing CA certificates (and no their parent certs) and so it's not possible to verify their certificate. So using `pam_cert_verification = partial_chain` on upgrades (only and only if migrated) we can ensure that no such system will be broken. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5558/head:pr5558 git checkout pr5558

3 31

[sssd PR#5495][opened] Fix python headers detection with recent autoconf (Fixes #5336)
by mtorromeo 08 Apr '21

08 Apr '21

URL: https://github.com/SSSD/sssd/pull/5495 Author: mtorromeo Title: #5495: Fix python headers detection with recent autoconf (Fixes #5336) Action: opened PR body: """ See details in issue report #5336. This is causing issues on Arch Linux which is using autoconf-2.71 at the moment. This only addresses the specific issue with python headers detection and not the whole use of if statements in autoconf files. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5495/head:pr5495 git checkout pr5495

4 17

[sssd PR#5535][opened] A set of patches to sanitize logger code a little bit.
by alexey-tikhonov 06 Apr '21

06 Apr '21

URL: https://github.com/SSSD/sssd/pull/5535 Author: alexey-tikhonov Title: #5535: A set of patches to sanitize logger code a little bit. Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5535/head:pr5535 git checkout pr5535

5 25

[sssd PR#5546][opened] kcm: add GET_CRED_LIST for faster iteration
by pbrezina 06 Apr '21

06 Apr '21

URL: https://github.com/SSSD/sssd/pull/5546 Author: pbrezina Title: #5546: kcm: add GET_CRED_LIST for faster iteration Action: opened PR body: """ For large caches, one IPC operation per credential dominates the cost of iteration. Instead transfer the whole list of credentials to the client in one IPC operation. Resolves: https://github.com/SSSD/sssd/issues/5545 This is a continuation of https://github.com/SSSD/sssd/pull/5375. The first pull requests addressed bottlenecks in sssd-kcm and reduced the test case run time from 30 minutes to 2 minutes, this new operation takes it down to 9 seconds. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5546/head:pr5546 git checkout pr5546

2 14

[sssd PR#5564][opened] DEBUG: Error is printed when everything is ok
by thalman 01 Apr '21

01 Apr '21

URL: https://github.com/SSSD/sssd/pull/5564 Author: thalman Title: #5564: DEBUG: Error is printed when everything is ok Action: opened PR body: """ Due to invalid condition error message that config file does not exist is printed when there is actually no problem. This update fixes the condition. Thanks @alexey-tikhonov for pointing this out. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5564/head:pr5564 git checkout pr5564

3 8

[sssd PR#5559][opened] CI: Use builtin command for pycodestyle check
by justin-stephenson 31 Mar '21

31 Mar '21

URL: https://github.com/SSSD/sssd/pull/5559 Author: justin-stephenson Title: #5559: CI: Use builtin command for pycodestyle check Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5559/head:pr5559 git checkout pr5559

2 8

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel March 2021