Hi,
the IPA SELinux provider cannot look up subdomain user. This patch should fix it and ticket https://fedorahosted.org/sssd/ticket/1892.
bye, Sumit
On Thu, Apr 25, 2013 at 01:58:37PM +0200, Sumit Bose wrote:
Hi,
the IPA SELinux provider cannot look up subdomain user. This patch should fix it and ticket https://fedorahosted.org/sssd/ticket/1892.
bye, Sumit
[snip]
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
be_ctx->domain,
- if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured, " \"trying configured domain.\n"));user_domain = be_ctx->domain;
I wonder if this try of a configured domain would ever succeed? Shouldn't we just fail in case an unknown domain is requested and subdomains are off?
On Fri, Apr 26, 2013 at 10:28:53AM +0200, Jakub Hrozek wrote:
On Thu, Apr 25, 2013 at 01:58:37PM +0200, Sumit Bose wrote:
Hi,
the IPA SELinux provider cannot look up subdomain user. This patch should fix it and ticket https://fedorahosted.org/sssd/ticket/1892.
bye, Sumit
[snip]
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
be_ctx->domain,
- if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured, " \"trying configured domain.\n"));user_domain = be_ctx->domain;I wonder if this try of a configured domain would ever succeed? Shouldn't we just fail in case an unknown domain is requested and subdomains are off?
My intention was to preserve the original behaviour as much as possible. But you are right, currently only the configured domain can be resolved in this case.
I will modify the patch accordingly.
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Fri, Apr 26, 2013 at 10:47:22AM +0200, Sumit Bose wrote:
On Fri, Apr 26, 2013 at 10:28:53AM +0200, Jakub Hrozek wrote:
On Thu, Apr 25, 2013 at 01:58:37PM +0200, Sumit Bose wrote:
Hi,
the IPA SELinux provider cannot look up subdomain user. This patch should fix it and ticket https://fedorahosted.org/sssd/ticket/1892.
bye, Sumit
[snip]
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
be_ctx->domain,
- if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured, " \"trying configured domain.\n"));user_domain = be_ctx->domain;I wonder if this try of a configured domain would ever succeed? Shouldn't we just fail in case an unknown domain is requested and subdomains are off?
My intention was to preserve the original behaviour as much as possible. But you are right, currently only the configured domain can be resolved in this case.
I will modify the patch accordingly.
New version attached.
bye, Sumit
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Fri, Apr 26, 2013 at 11:40:11AM +0200, Sumit Bose wrote:
On Fri, Apr 26, 2013 at 10:47:22AM +0200, Sumit Bose wrote:
On Fri, Apr 26, 2013 at 10:28:53AM +0200, Jakub Hrozek wrote:
On Thu, Apr 25, 2013 at 01:58:37PM +0200, Sumit Bose wrote:
Hi,
the IPA SELinux provider cannot look up subdomain user. This patch should fix it and ticket https://fedorahosted.org/sssd/ticket/1892.
bye, Sumit
[snip]
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
be_ctx->domain,
- if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured, " \"trying configured domain.\n"));user_domain = be_ctx->domain;I wonder if this try of a configured domain would ever succeed? Shouldn't we just fail in case an unknown domain is requested and subdomains are off?
My intention was to preserve the original behaviour as much as possible. But you are right, currently only the configured domain can be resolved in this case.
I will modify the patch accordingly.
New version attached.
bye, Sumit
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \"cannot lookup domain [%s].\n",pd->domain));goto fail;
Ack, I will just make this DEBUG message louder -- if a handler is failing, it should tell the user why it's failing loudly. I will use OP_FAILURE.
On Sun, Apr 28, 2013 at 09:10:43PM +0200, Jakub Hrozek wrote:
if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \"cannot lookup domain [%s].\n",pd->domain));goto fail;Ack, I will just make this DEBUG message louder -- if a handler is failing, it should tell the user why it's failing loudly. I will use OP_FAILURE.
Pushed to master.
Unfortunately I realized I wanted to change the macro after I pushed the patch so I'm also going to push the attached simple patch (it's not a one liner but only because the DEBUG message spans three lines).
On 04/29/2013 03:05 PM, Jakub Hrozek wrote:
On Sun, Apr 28, 2013 at 09:10:43PM +0200, Jakub Hrozek wrote:
if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \"cannot lookup domain [%s].\n",pd->domain));goto fail;Ack, I will just make this DEBUG message louder -- if a handler is failing, it should tell the user why it's failing loudly. I will use OP_FAILURE.
Pushed to master.
Unfortunately I realized I wanted to change the macro after I pushed the patch so I'm also going to push the attached simple patch (it's not a one liner but only because the DEBUG message spans three lines).
Ack to the additional 3-liner.
Michal
On Mon, Apr 29, 2013 at 03:22:08PM +0200, Michal Židek wrote:
On 04/29/2013 03:05 PM, Jakub Hrozek wrote:
On Sun, Apr 28, 2013 at 09:10:43PM +0200, Jakub Hrozek wrote:
if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \"cannot lookup domain [%s].\n",pd->domain));goto fail;Ack, I will just make this DEBUG message louder -- if a handler is failing, it should tell the user why it's failing loudly. I will use OP_FAILURE.
Pushed to master.
Unfortunately I realized I wanted to change the macro after I pushed the patch so I'm also going to push the attached simple patch (it's not a one liner but only because the DEBUG message spans three lines).
Ack to the additional 3-liner.
Michal
Thanks, pushed to master.
On Mon, Apr 29, 2013 at 05:01:17PM +0200, Jakub Hrozek wrote:
On Mon, Apr 29, 2013 at 03:22:08PM +0200, Michal Židek wrote:
On 04/29/2013 03:05 PM, Jakub Hrozek wrote:
On Sun, Apr 28, 2013 at 09:10:43PM +0200, Jakub Hrozek wrote:
if (subdom_be_ctx == NULL) {DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \"cannot lookup domain [%s].\n",pd->domain));goto fail;Ack, I will just make this DEBUG message louder -- if a handler is failing, it should tell the user why it's failing loudly. I will use OP_FAILURE.
Pushed to master.
Unfortunately I realized I wanted to change the macro after I pushed the patch so I'm also going to push the attached simple patch (it's not a one liner but only because the DEBUG message spans three lines).
Ack to the additional 3-liner.
Michal
Thanks, pushed to master.
I would like to fix this problem in sssd-1-9, too. Michal, you already know both SELinux code and the subdomains code to some extent, would you like to backport the patch?
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Michal Židek -
Sumit Bose