Patch to fix LDAP ID backend GSSAPI credential expired messages
by Eugene Indenbom
Dear SSSD developers,
I have started to create this patch in order to address the reclamation
filed on Fedora 12:
https://bugzilla.redhat.com/show_bug.cgi?id=575187
The problem shows up as continuous flood of messages to event log (2 every
10 minutes) about expired Kerberos context.
Mar 28 06:39:17 node-2 sssd_be: GSSAPI Error: The referenced context has
expired (Unknown error)
Mar 28 06:39:17 node-2 sssd_be: GSSAPI Error: The referenced context has
expired (Unknown error)
The messages show were caused by expired Kerberos context. The assumption
made in ldap_child.c that stated that Kerberos ticket is only needed during
connection setup, so it forcibly set the Kerberos ticket lifetime to 5
minutes. The assumption is unfortunately wrong as with MIT Kerberos
implementation Kerberos encryption and integrity is always enforced when
supported by both server and client. So after 5 minutes the connection
Kerberos ticket expired and connection was broken polluting event log and
putting additional load on DS and KDC due to constant reconnects.
Please, note that Kerberos authentication with LDAP server is the default
for IPA domain.
The natural solution for the problem was to increase Kerberos ticket
lifetime. Farther investigations show that it is necessary also to close
connection in timely fashion, as even closing connection with expired ticket
caused message in event log to appear.
During implementation of the above fixes I have also identified several more
problems:
1. In case of 2 or more requests executed in parallel (all started before
connection was established) it was possible to begin 2 connection operations
in parallel. One of the established connections was finally leaked leaving
connection to hang around.
2. The were no failover retry login LDAP ID backend itself. More over after
the first server failure (even on stale cached connection) the whole backend
was put to OFFLINE.
The patch attached to this message addresses all the above issues and as
well as:
1. Reduces amount of duplicate code related to LDAP connection and retry
logic.
2. Puts the connection and retry logic on the same architectural level in
ldap_id.c (now all this logic is handled by sdap_account_ function family),
that should benefit readability of code.
The patch design is as follows:
1. New entity sdap_id_op represents high level LDAP query operation. It is
responsible of:
a) Keeping track of LDAP connection
b) Keeping track of number of reconnect retries
2. New entity sdap_id_connection represents connection attempt made by LDAP
ID backend and later tracks connection usage.
3. sdap_id_ctx keeps track of all currently open connections and ensures:
a) That there is only one connection attempt in progress at a time.
Further operations are queued until connection is completed.
b) That cached connection is released in timely fashion
c) That all connections are closed when all operations using them are
complete and they are released from cache.
4. The retry logic of all LDAP operations is updated to use new facility.
I have attached to versions of this patch:
- one against sssd-1.1.0. This version was thoroughly tested and currently
is in preproduction testing on several systems in my IPA domain.
- the other against git repository. I have only made sure that the patch
compiled.
Looking forward for your reply, Eugene Indenbom
14 years, 1 month
Synchronous sysdb
by Simo Sorce
I have completed the work of making sysdb synchronous in my
fedorapeople repository.
Although all core functionality seem to work we need some careful
testing of stuff I touched that I wasn't able to test like the IPA HBAC
stuff.
It's rebased on top of current master.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
14 years, 1 month
Design proposal about INI interface improvements
by Dmitri Pal
Hi,
Currently the INI interface includes the following functions:
int config_from_file (const char *application, const char *config_filename,
struct collection_item **ini_config, int error_level,
struct collection_item **error_list)
Read configuration information from a file.
int config_from_fd (const char *application, int fd,
const char *config_source,
struct collection_item **ini_config,
int error_level,
struct collection_item **error_list)
Read configuration information from a file descriptor.
int config_from_file_with_lines (const char *application,
const char *config_filename,
struct collection_item **ini_config,
int error_level,
struct collection_item **error_list,
struct collection_item **lines)
Read configuration information from a file with extra collection of
line numbers.
int config_from_fd_with_lines (const char *application,
int fd,
const char *config_source,
struct collection_item **ini_config,
int error_level,
struct collection_item **error_list,
struct collection_item **lines)
Read configuration information from a file descriptor with extra
collection of line numbers.
int config_for_app (const char *application,
const char *config_file,
const char *config_dir,
struct collection_item **ini_config,
int error_level,
struct collection_item **error_set)
Read default configuration file and then overwrite it with a specific
one from the directory.
First two and the last one are high level functions.
The other too (with_lines) are experimental next level functions exposed
for future use and documented as such.
I suggest that we eliminate these two functions and add the following:
int config_from_file_with_metadata (const char *application,
const char *config_filename,
struct collection_item **ini_config,
int error_level,
struct collection_item **error_list,
uint32_t metaflags,
struct collection_item **metadata)
Read configuration information from a file with meta data about the
file.
Similarly replace config_from_fd_with_lines with
config_from_fd_with_metadata and
add config_for_app_with_metadata.
The exiting functions would just be wrappers around those with
metaflags = 0 and metadata arguments equal to NULL.
The metaflags would actually control what additional information to get
for example application might want to know who is the owner of the INI
file,
what the permissions are, when the file was created or last modified.
It can also ask to record the error (if any) that happened during the file
open operation. It can also ask to return the collection of line numbers -
this is for future grammar validation.
The matadata object, though a collection under hood, will have a similar
interface as the rest of the INI interface. I mean one would be able to
do the searches for the elements of the metadata by name, free the object
after use, etc.
Introducing the metadata concept paves a way to solving several tickets
that are currently in the backlog:
https://fedorahosted.org/sssd/ticket/405
https://fedorahosted.org/sssd/ticket/173
https://fedorahosted.org/sssd/ticket/82 - for it the application can
inspect metadata before trusting the configuration data it read and
proceeding.
It also makes the interface more extensible for special cases and
special data that might be needed in future for grammar validation
or for security chacks of for other cases like detecting if
the configuration has changed since the last time the application
read it.
Any objections if I do this when I have a spare moment?
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
14 years, 1 month
[PATCH] Allow arbitrary-length PAM messages
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkupJtUACgkQeiVVYja6o6M14QCgjiH8wCWh7M3kB8qdt1ZzS27O
+EoAni/BKtvcwN0myL/AD8cQiPJxrKJs
=q0Ni
-----END PGP SIGNATURE-----
14 years, 1 month
[PATCH] Fix segfault in path_utils_ut
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
These unit tests are paying off already. This segfault would have caused
problems in libpath_utils.
This patch also addresses a failure in path_split() to initialize a
return value.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkurvHEACgkQeiVVYja6o6PmlQCfVq6EHowyUHMguW5GBOcFaB09
F2YAn0qM92juyHQdgL6xbelwcmPwB7+d
=U52d
-----END PGP SIGNATURE-----
14 years, 1 month
[PATCH] path_utils improvements
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
These 3 patches add unit tests and convert documentation that was
already present in the header file into doxygen format. The bugs found
when adding the tests are fixed in a separate patch.
John, I'm not sure you are subscribed to sssd-devel, so I CC-ed you
directly as you are the original author of the module.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkuje+IACgkQHsardTLnvCWu9wCePSrwzh/0nJ17dsF+ZxW6Vnk0
WPEAnjdG1P/XQgZqzf+e52g2rhMwrDb7
=/4lP
-----END PGP SIGNATURE-----
14 years, 1 month
[PATCH] Add krb5_kpasswd to IPA provider
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The krb5 options were out of sync, causing a runtime abort.
This patch is slightly modified from the one attached to
https://bugzilla.redhat.com/show_bug.cgi?id=576856 since that one only
added the missing option and did not update the IPA_KRB5_OPTS value (but
I have retained attribution to Eugene)
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkurdCcACgkQeiVVYja6o6NSxQCghZwF3XKZvR+o2b3klBtXW+O3
duwAoKtkmpSV2xb6mZDlNL/v8leDsEVH
=Japl
-----END PGP SIGNATURE-----
14 years, 1 month
[PATCH] Allow running with read only root
by Jakub Hrozek
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Packages /etc/rwtab.d/sssd file that allows SSSD to run on a read-only
root filesystem.
Fixes: #428
The original reported wouldn't be able to test for a couple of days, but
I did some testing (LDAP identity + Kerberos auth), so I think we can at
least review if the patch is correct.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkuqGMsACgkQHsardTLnvCUGlQCcDUX87qsKEk1nVgY/uy5Cry3l
25UAn185QTerRYXBcvBwuVbY6iL/cFRO
=jW36
-----END PGP SIGNATURE-----
14 years, 1 month