[PATCHES] UTIL: Provide varargs version of debug_fn
by Lukas Slebodnik
ehlo,
The main reason for these patch was to improve
recently added logging to hbac.
Side effect of these change is improvement for libldb
and libsemanage (6th patch)
4th patch is not API/ABI change because
such version has not beeen released yet.
If you do not like change in hbac callback
hbac_debug_fn_t then we should also remove
because it is too internal then we should
remove also the first two arguments.
"file", "line" also leaks internal data from libhbac.
Removing the first two arguments would be almost
consistent callbacks in libldb and libsemanage.
LS
8 years, 2 months
[PATCH] subdomains: inherit ldap_krb5_keytab
by Sumit Bose
Hi,
if a different keytab than /etc/krb5.keytab is used e.g. with the AD
provider the subdomains still try to use keys from /etc/krb5.keytab to
connect to e.g. the LDAP server of the subdomain. But id
/etc/krb5.keytab is not present or does not contain suitable keys this
will fails. As a work-around it might be possible to change
default_keytab_name in /etc/krb5.conf but this will change the default
globally and only works for a single file. If e.g. there are 2 AD
domains with alternative keytabs configured this won't work.
The attached patch allows to inherit the setting of ldap_krb5_keytab (or
krb5_keytab) to the subdomains.
bye,
Sumit
8 years, 2 months
[PATCH] Fix typos reported by lintian
by Lukas Slebodnik
ehlo,
lintian can find typos in strings in binary files.
Attached patch should fix them.
I replace typos on all places in code and not just in error messages.
LS
8 years, 2 months
[PATCH] SPEC: Remove unnecessary requirements
by Lukas Slebodnik
ehlo,
reason is explained in commit message.
The intention for this patch was to a simplify spec file
(at least a little bit :-)
If we want to have some requirements for version of lib{ldb,tdb}
then it would be better to have minimal required version in
BuildRequires + configure detection of libraries.
But it might be outdated if we use some ver ldb features.
LS
8 years, 2 months
proposed libipa_hbac changes
by Jakub Hrozek
Hi,
during my work on pam_hbac I ran into some issues in libipa_hbac that I
would like to fix. And before doing the work I wanted to check if anyone
is opposed to these changes.
I would like to:
1) Stop using C99 in libipa_hbac. pam_hbac can run on old and/or
strange platforms that don't support C99 compilers.
2) Stop using sss_utf8_case_eq unconditionally and rather use an
externally-provided function, a bit like we already set the debug
function. I was thinking even about creating hbac_init() that
would accept these functions and return a context which would then
be passed to other libipa_hbac functions, but this would be an API
break. Alternatively, we could just use a function setter, I just think
the context might be clearer..and IIRC the C libipa_hbac API is used
only by the python bindings at the moment.
3) Also add a private context to the debug function to pass
additional data. Again, this is an API break. If the other
developers don't like changing the API, we can alternatively add
hbac_enable_debug_ex() with the private pointer.
4) Do not include header files from the sssd deamon tree at all.
5) Move the hbac_evaluator.c and ipa_hbac.h files from
src/providers/ipa/ to src/lib/libipa_hbac. This is already the same
as the idmapping library.
6) Some minor enhancements: Fixes to doxygen comments and change
some internally-used errno codes that might not exist on all
platforms (ENOMATCH)
I would welcome other's opinion, especially on the API break..
8 years, 2 months
SSSD Status Tool
by Pavel Březina
I'm sending this on behalf of Pavel Reichl...
Hi,
during devconf week Jakub asked us to send a few overview paragraphs
about features we will be working on in forth coming months.
Implementation details will be discussed in design documents as usually.
I and Pavel Březina will be working together on SSSD control tool -
SSSCTL. Main purpose of this task is to make administration & debugging
tasks more user friendly and thus hopefully save time of users, support
and us developers.
SSSCTL will be mostly CLI/TUI client using the SSSD infopipe as a server
that will be providing necessary data and will perform/delegate commands
to the SSSD providers and responders.
Capabilities of the tool:
1) online/offline state - https://fedorahosted.org/sssd/ticket/385
Users have repeatedly asked for simple mean how to check if data
provider id offline or online without need to check logs (if logging is
enabled at all).
2a) Report whether the entry is present in SSSD cache -
https://fedorahosted.org/sssd/ticket/2166
2b) Check if the cached entry is valid and refresh if appropriate -
https://fedorahosted.org/sssd/ticket/2166
2c) Measure the time an operation took (useful in performance tuning) -
https://fedorahosted.org/sssd/ticket/385
3) Failover status - Current state of failover process {connecting to
server, waiting, failed, succeeded)
4) Display server to which provider is connected to -
https://fedorahosted.org/sssd/ticket/385
5) Display current debug level of a component
6) Generate memory report
Usually when user is observing a memory leak we provide him a special
build that generates talloc report which we can then analyze. Using this
tool customer would simply select SSSD component that is supposed to
leak memory and generate the talloc report immediately.
7) Force reload - restart of components?
Work dependency:
1) Data provider refactoring
2) Extend interface between DP and IFP -
https://fedorahosted.org/sssd/ticket/2957,
https://fedorahosted.org/sssd/ticket/2954
3) Extend public interface of IFP
4) Tool (logic + user interface) - https://fedorahosted.org/sssd/ticket/385
8 years, 2 months
cache_req improvements
by Pavel Březina
Mostly debugging improvements. For example sudo output looks like:
[sudosrv_get_rules_send] (0x0400): Running initgroups for [user-1]
[cache_req_send] (0x0400): Cache Request [Initgroups by name #1]: New
request
[cache_req_send] (0x0400): Cache Request [Initgroups by name #1]:
Parsing input name [user-1]
[sss_parse_name_for_domains] (0x0200): name 'user-1' matched without
domain, user is user-1
[cache_req_input_set_name] (0x0400): Cache Request [Initgroups by name
#1]: Setting name [user-1]
[cache_req_select_domains] (0x0400): Cache Request [Initgroups by name
#1]: Performing a multi-domain search
[cache_req_input_set_domain] (0x0400): Cache Request [Initgroups by name
#1]: Using domain [LDAP]
[cache_req_check_ncache] (0x0400): Cache Request [Initgroups by name
#1]: Checking negative cache for [user-1@LDAP]
[sss_ncache_check_str] (0x2000): Checking negative cache for
[NCE/USER/LDAP/user-1]
[cache_req_get_object] (0x0200): Cache Request [Initgroups by name #1]:
Requesting info for [user-1@LDAP]
[cache_req_cache_check] (0x0400): Cache Request [Initgroups by name #1]:
[user-1@LDAP] entry is valid
[cache_req_done] (0x0400): Cache Request [Initgroups by name #1]:
Finished: Success
It is now very simple to lookup messages for specific cache_req.
8 years, 2 months
[PATCH] sss_idmap-tests: Fix segmentation fault
by Lukas Slebodnik
ehlo,
simple patch is attached.
I can reproduce it only with clang.
But it's typical off by one error.
sh$ ./sss_idmap-tests
Running suite(s): IDMAP
Segmentation fault (core dumped)
Running suite(s): IDMAP
==2644== Process terminating with default action of signal 11 (SIGSEGV)
==2644== Access not within mapped region at address 0xA08F430
==2644== at 0x4C2CC53: strcmp (vg_replace_strmem.c:842)
==2644== by 0x4060DA: idmap_test_sid2uid_additional_secondary_slices (sss_idmap-tests.c:451)
==2644== by 0x503C78A: ??? (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x503CB7C: srunner_run (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x4061EE: main (sss_idmap-tests.c:965)
==2644== If you believe this happened as a result of a stack
==2644== overflow in your program's main thread (unlikely but
==2644== possible), you can try to increase the size of the
==2644== main thread stack using the --main-stacksize= flag.
==2644== The main thread stack size used in this run was 8388608.
LS
8 years, 2 months