[RFE] Ability of sssd to override shell per group and per user
by Pavel Reichl
Hello,
we have an RFE: Ability of sssd to override shell per group and per user
(described in ticket - https://fedorahosted.org/sssd/ticket/2135 and BZ
- https://bugzilla.redhat.com/show_bug.cgi?id=986394)
Is it generally a good idea to override shell per group and user or are
there any hidden security threats?
IIRC we can override shell based on primary group only because in time
when shell overrides are processed no secondary groups are known, is it OK?
Would introducing new configuration options
'override_shell_per_{user,group}' in NSS section be the right way to
implement this RFC?
override_shell_per_user = user1@domain1:sh1, user2:sh2, uid1:sh3
override_shell_per_group = group1@domain1:sh1, group2:sh2, gid1:sh3
Thanks for opinions!
9 years, 7 months
[PATCH] GPO: remove unused talloc contexts
by Lukas Slebodnik
ehlo,
Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.
Patch is attached.
LS
9 years, 7 months
[PATCH] GPO: Use argument ndg_flags instead of constant
by Lukas Slebodnik
ehlo,
Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.
[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
ndr_pull_security_descriptor_revision,
ndr_pull_security_descriptor_type
Patch is attached.
LS
9 years, 7 months
NSS - use of allowed_shells
by Pavel Reichl
Hello,
We have a user whose use-case seems quite legit to me but is impossible
to be achieved without changing the code.
(https://fedorahosted.org/sssd/ticket/2219)
What user wants: in case that user's shell is not in /etc/shells he
simply wants to use value of 'shell_fallback' option as user's shell.
This can be achieved if the user's shell is in 'allowed_shells' option,
but to maintain this option to enumerate all possible shells is not very
convenient when you got huge heterogeneous network for different
projects with different administrators.
Instead the user proposed a patch adding special value '*' to
'allowed_shells' which would mean that any user's shell is a member of
'allowed_shells'.
I believe that the patch will work, but the solution will IMO complicate
the shell magic even more.
Could we change the code so in case when user's shell is not in
/etc/shells and 'allowed_shells' is empty to use 'shell_fallback'? Or do
you find the '*' as a better option?
Thanks!
9 years, 7 months
[PATCH] sssd.api.conf: Declare case_sensitive as string
by Michal Židek
Hi,
I forgot to declare the case_sensitive option as string in the
sssd.api.conf when I changed it to 3 state option
(true|false|preserving). This caused authconfig to fail
when case_sensitive was set to preserving.
See attached simple patch.
Michal
9 years, 7 months
[PATCH] pam: sub-domain authentication fix
by Sumit Bose
Hi,
I'm sorry but I introduced a regression with the recent patches which
added support for looking up users with an UPN. This patch should fix it,
please see commit message for details.
bye,
Sumit
9 years, 7 months