Could not create empty directory [tests_krb5_utils]. Please remove [tests_krb5_utils].
by Antek Baranski
Hi there
I grabbed the sources for the 1.11.2 release (
https://fedorahosted.org/released/sssd/sssd-1.11.2.tar.gz) and tried to
build the rpm packages on a CentOS 6.4 (2.6.32-358.23.2.el6.x86_64) and it
fails because of the krb5_util tests and subsequent check_and_open tests.
I googled the error and it looks like this was discussed in 2012 already
https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010098.html,
but the resolution is unclear to me. I"ve read the docs but was not able to
find anything specific about how to 'fix' the problem, short of literally
removing the references from the Makefile.am and building that way.
Could not create empty directory [tests_krb5_utils]. Please remove
[tests_krb5_utils].
FAIL: krb5-utils-tests
Running suite(s): check_and_open
(Tue Dec 3 23:12:06:123706 2013) [sssd] [check_and_open_readonly]
(0x0020): open [/bla/bla/bla] failed: [2][No such file or directory].
(Tue Dec 3 23:12:06:124247 2013) [sssd] [perform_checks] (0x0020): File is
not the right type.
(Tue Dec 3 23:12:06:124335 2013) [sssd] [check_and_open_readonly]
(0x0020): check_fd failed.
(Tue Dec 3 23:12:06:124872 2013) [sssd] [perform_checks] (0x0020): File is
not the right type.
(Tue Dec 3 23:12:06:125803 2013) [sssd] [perform_checks] (0x0020): File
must be owned by uid [1].
(Tue Dec 3 23:12:06:125862 2013) [sssd] [check_and_open_readonly]
(0x0020): check_fd failed.
(Tue Dec 3 23:12:06:126299 2013) [sssd] [perform_checks] (0x0020): File
must be owned by gid [1].
(Tue Dec 3 23:12:06:126386 2013) [sssd] [check_and_open_readonly]
(0x0020): check_fd failed.
(Tue Dec 3 23:12:06:126834 2013) [sssd] [perform_checks] (0x0020): File
has the wrong mode [0000600], expected [0000602].
(Tue Dec 3 23:12:06:126896 2013) [sssd] [check_and_open_readonly]
(0x0020): check_fd failed.
100%: Checks: 9, Failures: 0, Errors: 0
PASS: check_and_open-tests
Running suite(s): files_suite
100%: Checks: 4, Failures: 0, Errors: 0
PASS: files-tests
Running suite(s): refcount
100%: Checks: 2, Failures: 0, Errors: 0
PASS: refcount-tests
Running suite(s): fail_over
(Tue Dec 3 23:12:06:369361 2013) [sssd] [fo_resolve_service_send]
(0x0020): No available servers for service 'http'
(Tue Dec 3 23:12:06:369467 2013) [sssd] [fo_resolve_service_send]
(0x0020): No available servers for service 'ldap'
100%: Checks: 2, Failures: 0, Errors: 0
PASS: fail_over-tests
Running suite(s): find_uid
100%: Checks: 3, Failures: 0, Errors: 0
PASS: find_uid-tests
Running suite(s): auth
100%: Checks: 1, Failures: 0, Errors: 0
PASS: auth-tests
Running suite(s): ipa_ldap_opt
100%: Checks: 5, Failures: 0, Errors: 0
PASS: ipa_ldap_opt-tests
Running suite(s): ad_ldap_opt
100%: Checks: 2, Failures: 0, Errors: 0
PASS: ad_ldap_opt-tests
Running suite(s): access_simple
100%: Checks: 11, Failures: 0, Errors: 0
PASS: simple_access-tests
Running suite(s): sss_crypto
100%: Checks: 5, Failures: 0, Errors: 0
PASS: crypto-tests
Running suite(s): util
test_murmurhash3_random seed: 1386112326
100%: Checks: 20, Failures: 0, Errors: 0
PASS: util-tests
Running suite(s): debug
100%: Checks: 18, Failures: 0, Errors: 0
PASS: debug-tests
Running suite(s): HBAC
100%: Checks: 9, Failures: 0, Errors: 0
PASS: ipa_hbac-tests
Running suite(s): IDMAP
100%: Checks: 22, Failures: 0, Errors: 0
PASS: sss_idmap-tests
Running suite(s): Responder socket access
100%: Checks: 2, Failures: 0, Errors: 0
PASS: responder_socket_access-tests
Running suite(s): sysdb_ssh
100%: Checks: 4, Failures: 0, Errors: 0
PASS: sysdb_ssh-tests
==================================================
1 of 24 tests failed
Please report to sssd-devel(a)lists.fedorahosted.org
==================================================
make[3]: *** [check-TESTS] Error 1
make[3]: Leaving directory
`/root/sssd/sssd-1.11.2/rpmbuild/BUILD/sssd-1.11.2'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory
`/root/sssd/sssd-1.11.2/rpmbuild/BUILD/sssd-1.11.2'
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory
`/root/sssd/sssd-1.11.2/rpmbuild/BUILD/sssd-1.11.2'
error: Bad exit status from /var/tmp/rpm-tmp.jRjLNf (%check)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.jRjLNf (%check)
make: *** [rpms] Error 1
--
Antek Baranski
Roblox - Engineering Director
cell: 310-866-1622
skype: tekkie
10 years, 5 months
[PATCH] do not use default_domain_suffix with autofs
by Jakub Hrozek
Hi,
we have a default_domain_suffix parameter in the SSSD with the following
description:
default_domain_suffix (string)
This string will be used as a default domain name for all names without a
domain name component. The main use case is environments where the primary
domain is intended for managing host policies and all users are located in a
trusted domain. The option allows those users to log in just with their user
name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have
to use their fully qualified name, e.g. user(a)domain.name, to log in.
Default: not set
This turned out to be a problem for one RHEL customer recently who uses
the default_domain_suffix option because all his users and groups are
stored in AD. But they also use automounter, which means all requests
from automounter get fully qualified, auto.master becomes
auto.master(a)trusted.ad.domain. And I don't think it's even possible to
automounter to make the map name fully qualified (yes, you can override
master map name, but then you'd have to also make sure all the nested
map and key names are qualified which is insane..)
I think that given we only support users and groups from trusted sources
now, we should only consider the default domain suffix for users and
groups.
The customer was kind enough to propose a patch. I think it's correct,
except maybe we should amend the option documentation. I can't think of
any other part of SSSD that needs patching - sudo's input is username
and ssh provider only takes the default domain suffix into consideration
for users as well.
10 years, 5 months
[PATCH 5/7] responder: Use SAFEALIGN macro when checking pam data, validity.
by Michal Židek
On 11/14/2013 01:14 PM, Lukas Slebodnik wrote:>>From
fbc7adbf1331fdb931b43f2b6ffda43565ce442e Mon Sep 17 00:00:00 2001
>> >From: Michal Zidek<mzidek(a)redhat.com>
>> >Date: Wed, 4 Sep 2013 16:17:57 +0200
>> >Subject: [PATCH 5/7] responder: Use SAFEALIGN macro when checking
pam data
>> >validity.
>> >
>> >resolves:
>> >https://fedorahosted.org/sssd/ticket/1359
>> >---
>> >src/responder/pam/pamsrv_cmd.c | 18 +++++++++++++-----
>> >1 file changed, 13 insertions(+), 5 deletions(-)
>> >
>> >diff --git a/src/responder/pam/pamsrv_cmd.c
b/src/responder/pam/pamsrv_cmd.c
>> >index 32efc4b..6418047 100644
>> >--- a/src/responder/pam/pamsrv_cmd.c
>> >+++ b/src/responder/pam/pamsrv_cmd.c
>> >@@ -144,12 +144,20 @@ static int pam_parse_in_data_v2(struct
sss_domain_info *domains,
>> > uint32_t size;
>> > char *pam_user;
>> > int ret;
>> >- uint32_t terminator = SSS_END_OF_PAM_REQUEST;
>> >+ uint32_t start;
>> >+ uint32_t terminator;
>> >
>> >- if (blen < 4*sizeof(uint32_t)+2 ||
>> >- ((uint32_t *)body)[0] != SSS_START_OF_PAM_REQUEST ||
>> >- memcmp(&body[blen - sizeof(uint32_t)], &terminator,
sizeof(uint32_t)) != 0) {
> Function memcmp is also used in the function pam_forwarder_parse_data,
> although there is no alignment warning we should be consistent at
least in the
> same file.
Yes. I modified it to use safealign copy as well in the new patch.
Michal
PS:
Btw. why is the condition to detect unterminated data like this
if (blen >= sizeof(uint32_t)
&& lastfourbytes != END_OF_PAM_REQUEST) {
return error;
}
Shouldn't it be like this?
if (blen < sizeof(uint32_t)
|| lastfourbytes != END_OF_PAM_REQUEST) {
return error;
}
Is it possible that pam request shorter than terminator is valid?
10 years, 5 months
[PATCH 1/7] sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate
by Michal Židek
On 11/14/2013 01:14 PM, Lukas Slebodnik wrote:> On (05/11/13 15:18),
Michal Židek wrote:
>>>>> Thanks for the responses.
>>>>>
>>>>> I decided to reduce the patches for this thread to only
>>>>> similar or simple changes. I think it is still quite enough
>>>>> for a review. I will post patches for the rest of the issues
>>>>> (like the one with
sockaddr) in
>>>>> separate threads. I hope this will make review easier. So
>>>>> after
applying
>>>>> these patches there will still be a lot of warnings.
>>>>>
>>>>> New patches attached.
>>>>>
>>>>> PS: Sorry for delayed answer.
>>>>>
>>>>>
>>>
>>> Sending patches rebased on top of current master.
>>>
>>> Michal
>>>
>> From 93a3b127e24ed26068ca7cfea41992a86440d8c2 Mon Sep 17 00:00:00
>> 2001
>>> From: Michal Zidek<mzidek(a)redhat.com> Date: Wed, 21 Aug 2013
>>> 17:17:06 +0200 Subject: [PATCH 1/7] sss_client: Use
>>> SAFEALIGN_COPY_<type> macros where diff --git
>>> a/src/sss_client/idmap/sss_nss_idmap.c
b/src/sss_client/idmap/sss_nss_idmap.c
>>> index e0faf6e..69f825f 100644 ---
>>> a/src/sss_client/idmap/sss_nss_idmap.c +++
>>> b/src/sss_client/idmap/sss_nss_idmap.c @@ -108,7 +108,7 @@ static
>>> int sss_nss_getyyybyxxx(union input inp,
enum sss_cli_command cmd ,
>>> goto done; }
>>>
>>> - num_results = ((uint32_t *)repbuf)[0]; +
>>> SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); if
>>> (num_results == 0) { ret = ENOENT; goto done; @@ -117,7 +117,7 @@
>>> static int sss_nss_getyyybyxxx(union input inp,
enum sss_cli_command cmd ,
>>> goto done; }
>>>
> Please add comment why comment why you skipped one unit32_t There is
> already similar comment on the other place in this patch. /* Skip
> first two 32 bit values (number of results and * reserved padding)
> */
Added.
>
>>> - out->type = ((uint32_t *)repbuf)[2]; +
>>> SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 *
sizeof(uint32_t), NULL);
>>>
>>> data_len = replen - DATA_START;
>>>
>>> diff --git a/src/sss_client/nss_group.c
>>> b/src/sss_client/nss_group.c index e6ea54b..a7fb093 100644 ---
>>> a/src/sss_client/nss_group.c +++ b/src/sss_client/nss_group.c @@
>>> -298,7 +298,7 @@ enum nss_status _nss_sss_initgroups_dyn(const
char *user, gid_t group,
>>> }
>>>
>>> /* no results if not found */ - num_ret = ((uint32_t
>>> *)repbuf)[0]; + SAFEALIGN_COPY_UINT32(&num_ret, repbuf,
>>> NULL); if (num_ret == 0) { free(repbuf); nret =
>>> NSS_STATUS_NOTFOUND; @@ -328,9 +328,13 @@ enum nss_status
>>> _nss_sss_initgroups_dyn(const
char *user, gid_t group,
>>> *size = newsize; }
>>>
> The same issue is here.
>>> - rbuf = &((uint32_t *)repbuf)[2]; + /* Skip first two 32
>>> bit values (number of results and + * reserved padding) */
^^^^^^^^^^^^^^^^^^^^^
The comment was there. Maybe I missed something?
>>> + buf_index = 2 * sizeof(uint32_t); + for (l = 0; l < max_ret;
>>> l++) { - (*groups)[*start] = rbuf[l]; +
>>> SAFEALIGN_COPY_UINT32(&(*groups)[*start], repbuf + buf_index, +
>>> &buf_index); *start += 1; }
>>>
> Otherwise, conditions look much nicer with variables like a
> "num_results" instead of "buffer magic" (((uint32_t *)repbuf)[0] ==
> 0)
New patch attached.
Michal
10 years, 5 months
[PATCH] - Improved detection of user domain
by Pavel Reichl
Hello,
First patch improves domain detection taking matched length into account
as proposed and elaborated by Jakub.
Second patch is a simple unit test testing sss_ldap_dn_in_search_bases
and sdap_domain_get_by_dn.
Pavel Reichl
10 years, 5 months
[PATCH 0/2] Gentoo init script improvements
by Markos@lists.fedorahosted.org
From: Markos Chandras <hwoarang(a)gentoo.org>
Hi,
Please review the following changes for the Gentoo init script.
I am the maintainer of sssd in Gentoo and I already apply these changes
to the init script to make it work properly with openrc.
Please keep me in CC as I am not subscribed.
Bug report: https://fedorahosted.org/sssd/ticket/2165
Markos Chandras (2):
sysv/gentoo: Use xdm if possible
sysv/gentoo: Send debug output to a file instead of stderr
src/sysv/gentoo/sssd.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
1.8.4.4
10 years, 5 months
[RFC] How to fix #2148 Individual group search returned multiple results in GC lookups
by Sumit Bose
Hi,
I have two ideas how to fix #2148 "Individual group search returned
multiple results in GC lookups".
First a short summary of the issue. In an AD forest where domain have
hierarchical DNS name, e.g. example.com, child.example.com,
grandchild.example.com, a global catalog search for the group 'Domain
Users' from the domain example.com will currently return the 'Domain
Users' groups from child.example.com and grandchild.example.com as well.
The reason is that we are doing a LDAP sub-tree search with
'dc=example,dc=com' as a base which includes the bases of the other
domains as well. Currently we fail, because we only proceed if one
result is returned.
To solve this we can just drop the limitation that we only expect a
single result and just process all results returned. This is currently
already done for user lookups and has the advantage that we could easily
implement * searches for groups, e.g. a* means find all groups where the
name starts with an 'a'. A drawback would be that with a broken LDAP
server, where there are multiple groups with the same name in the same
domain we will not fail completely anymore but process the first
returned group successfully and will fail with the second. But since we
already said in other situation that it is the responsibility of the
LDAP admin to makes sure that the information is consistent I think we
can accept it here as well. Additionally this scheme has to be
implemented wherever needed, e.g. sdap_get_initgr_user() would be the
next candidate.
My second idea is to add a hook at all places where we expect one result
but multiple are returned and call a provider specific function which
can try to single out the expected result. For the time being only the
AD provider will implement this function. For AD this function can check
the DN component of all results following the search base. Since the dc
attribute is not used by AD in the containers names following the search
base all results which have dc=something following the search base must
come from a different domain.
Originally I preferred the second one, but since I've seen that user
lookups uses the first I'm not sure which one will be better.
Comments or alternatives are welcome.
bye,
Sumit
10 years, 5 months
kerberos problems with 2008R2 AD
by Greg Lehmann
Hi All,
I'm after some help tracking this problem down. I am seeing this from a few different OSes all with the same AD realm: CentOS 6.4, SLES 11SP3 and opensuse 13.1 all of which run sssd 1.9.x and SLES 11 SP2 running sssd 1.5.11. The ldap side of things seems to be working OK as getent passwd is returning what I expect. The kerberos side of things is not, although kinit as a user works:
client:/var/log/sssd # kinit user
Password for user(a)DOM.COMPANY.COM:
client:/var/log/sssd #
It looks like the realm is being truncated somehow so DOM.COMPANY.COM is getting truncated to COMPANY.COM for the kerberos lookups. I see this in the krb5_child.log file:
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): krb5_child started.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] (0x1000): total buffer size: [104]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] (0x0100): cmd [241] uid [67657] gid [67657] validate [false] offline [false]
UPN [user(a)COMPANY.COM]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_67657_XXXXXX] keytab: [/etc/krb5.keytab]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] (0x0400): Will perform online auth
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal canonicalization
is not available!
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] (0x0100): Not using FAST.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sss_krb5_get_init_creds_opt_set_expire_callback] (0x0200): krb5_get_init_creds_opt_set_expi
re_callback not available.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [COMPANY.COM]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] (0x0020): 977: [-1765328230][Cannot find KDC for requested realm]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [kerr_handle_error] (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [prepare_response_message] (0x0400): Building response for result [-1765328230]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [pack_response_packet] (0x2000): response packet size: [48]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sendresponse] (0x4000): Response sent.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): krb5_child completed successfully
sssd.conf:
[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = DOM.COMPANY.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
debug_level = 10
offline_credentials_expiration = 3
[domain/DOM.COMPANY.COM]
debug_level = 10
filter_groups = root
filter_users = root
description = LDAP domain with AD server
cache_credentials = false
enumerate = false
min_id = 65537
ldap_uri = ldap://dc1.dom.comany.com
ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = CLIENT$(a)DOM.COMPANY.COM
ldap_search_base = dc=dom,dc=company,dc=com
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_search_base = ou=People,dc=dom,dc=company,dc=com
ldap_group_search_base = ou=Groups,dc=dom,dc=company,dc=com
ldap_group_name = msSFU30Name
ldap_group_nesting_level = 5
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = true
auth_provider = krb5
krb5_realm = DOM.COMPANY.COM
krb5_server = dc.dom.company.com
krb5.conf:
[libdefaults]
clockskew = 300
default_realm = DOM.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
[realms]
DOM.COMPANY.COM = {
default_domain = dom.company.com
admin_server = dc1.dom.company.com
kpasswd_server = dc1.dom.company.com
kdc = dc1.dom.company.com
}
[domain_realm]
.dom.company.com = DOM.COMPANY.COM
dom.company.com = DOM.COMPANY.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
debug = true
krb4_convert = false
}
10 years, 5 months