URL: https://github.com/SSSD/sssd/pull/5284
Author: justin-stephenson
Title: #5284: Remove leftover ccache from SSH credentials delegation
Action: opened
PR body:
"""
This PR addresses the issue described in https://github.com/SSSD/sssd/pull/876#issuecomment-525734063
When KCM receives delegated credentials over SSH, a new ccache is initialized, filled in and switched to. If a ccache for this newly initialized principal already exists, an expired/stale ccache gets leftover in the cache.
KCM will now compare this newly initialized principal against all existing ccache principals and remove any comparison match, ensuring KCM doesn't end up with a duplicate old ccache.
I believe this finalizes the remaining work needed to resolve https://pagure.io/SSSD/sssd/issue/4017 (the main work being done in https://github.com/SSSD/sssd/pull/736 and https://github.com/SSSD/sssd/pull/876) but I would like to have someone confirm this.
A simple reproducer case is the following:
~~~
# kinit $user
# ssh -K -l $user hostname klist -A
# ssh -K -l $user hostname klist -A
~~~
Without this PR each successive run of the ssh command would generate and store a new ccache in KCM on the host *hostname*, and that will be evident in the `klist -A` output.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5284/head:pr5284
git checkout pr5284
URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level
alexey-tikhonov commented:
"""
> as I said I'd prefer to use a separate option for this because in more or less all cases this debug output is not needed and -1 is very verbose. So I think `"yet another one knob only few developers will be aware of"` is completely find here because it should be only used if there are strong indications that something is wrong on the libldap level.
Ok.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678344292
URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
sumit-bose commented:
"""
> I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed.
Hi,
the issue happens when there is no allow rule, i.e. RemoteInteractiveLogonRight is empty.
bye,
Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678307489
URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level
sumit-bose commented:
"""
Hi,
as I said I'd prefer to use a separate option for this because in more or less all cases this debug output is not needed and -1 is very verbose. So I think `"yet another one knob only few developers will be aware of"` is completely find here because it should be only used if there are strong indications that something is wrong on the libldap level.
bye,
Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678295717
URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
pbrezina commented:
"""
I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed.
```
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing setting: key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [(null)]
(2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No value for key [SeDenyRemoteInteractiveLogonRight] found in gpo result
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size = 1
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_sids[0] = S-1-5-21-433998187-2822908608-1404606238-500
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-433998187-2822908608-1404606238-1000
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-433998187-2822908608-1404606238-513
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY DECISION:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_granted = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_denied = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158236](Host Access Denied)
```
The patch does not change the behavior.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162
URL: https://github.com/SSSD/sssd/pull/5178
Title: #5178: ldap: add new option ldap_library_debug_level
pbrezina commented:
"""
I just used this patch to debug something and it works as expected.
The SSSD debug level is a bitmask and the idea behind it is that you can enable or disable specific messages. So we can certainly add SSSDDBG_EXTERNAL_LDAP or something and enable -1 ldap level if this is set. But I'm fine with the option as well, especially if you think that something else then -1 (enable all) is helpful.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5178#issuecomment-678257102