gmane.linux.redhat.sssd.devel
http://blog.gmane.org/gmane.linux.redhat.sssd.devel
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9682
<pre>
Simo noted that we changed the protocol here. We dropped 32 bits of
padding. In order to remain compatible with existing clients, we need to
put that back in, which the attached patch does. (It also corrects the
comment describing the protocol to have it match reality).
The reason we want to do this is that an upgrade and restart of SSSD
won't change the copy of libnss_sss.so that's already loaded into
running processes. Thus we would be breaking service lookups until those
apps were restarted.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T14:17:37Re: Securing remote domains
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9681
<pre>
If you set id ranges so that 2000 is not valid in the domain it will be
rejected.
These semantics are not soemthing SSSD can influence, they are internal
glibc semantics. On initgroups glibc asks all the group map backends
about group memberships.
However, recently glibc added an option so that you can segregate
initgroups too. In general we try not to use it becaus ein many cases
people do want to have the memberships calculated through all group
backends.
However if you enable "initgroupos: files sss", the getgrouplist call do
not continue past files into sss if entries are found in files.
I am not sure I like this option, as it is rather new, undocumented, and
the semantics may not be really useful, but you may want to experiment
with it if you have a new enough glibc. (Was committed to glibc upstream
repo on may 10 2011)
SSSD does not, I think we could do something as we should have access to
the list of groups previous nsswitch plugins returned, but we don't, as
in many cases users do want the current initgroups semantics.
IIRC per posix rules usernames cannot start with a digit.
Ie they must have at least one non-digit letter in the name, which means
a numeric only input to getent passwd should always be considered as a
uid number.
Simo.
</pre>Simo Sorce2012-05-25T13:48:33Re: Use variable to control verbosity for things in common directory
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9680
<pre>
Yes.
</pre>Dmitri Pal2012-05-25T13:04:50Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9679
<pre>
Pushed to master and sssd-1-8.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T12:52:04Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9678
<pre>
Ack
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T12:45:41Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9677
<pre>
Sure, new patch is attached.
Yes, I also tested on s390x running RHEL6.
From 67f45ccd456cebcf3f036508dce1028bc9d5735a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Fri, 25 May 2012 13:52:32 +0200
Subject: [PATCH] Send 16bit protocol numbers from the sss_client
https://fedorahosted.org/sssd/ticket/1348
---
src/responder/nss/nsssrv_services.c | 2 +-
src/sss_client/nss_services.c | 13 +++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/responder/nss/nsssrv_services.c b/src/responder/nss/nsssrv_services.c
index 2e539f13576d18c97d8c3bff2ced2fd5ed01290f..db8a2ca132b4f47c4d6cd78ce99280486e22f2a0 100644
--- a/src/responder/nss/nsssrv_services.c
+++ b/src/responder/nss/nsssrv_services.c
< at >< at > -1050,7 +1050,7 < at >< at > errno_t parse_getservbyport(TALLOC_CTX *mem_ctx,
SAFEALIGN_COPY_UINT16(&c, body, NULL);
port = ntohs(c);
- port_and_padding_len = 2 * sizeof(uint16_t) + sizeof(uint32_t);
+ port_and_padding_len = 2 * sizeof(uint16_t);
i = port_and_padding_len;
j = 0;
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
index 3f042b4a2a62dbf56b5295e84af8d0371708453a..8f25781a1ec188931157368a2e38067be23c0c00 100644
--- a/src/sss_client/nss_services.c
+++ b/src/sss_client/nss_services.c
< at >< at > -270,6 +270,7 < at >< at > _nss_sss_getservbyport_r(int port, const char *protocol,
size_t proto_len = 0;
uint8_t *repbuf;
uint8_t *data;
+ size_t p = 0;
size_t replen, len;
enum nss_status nret;
int ret;
< at >< at > -285,23 +286,23 < at >< at > _nss_sss_getservbyport_r(int port, const char *protocol,
}
}
- rd.len = sizeof(uint32_t)*2 + proto_len + 1;
- data = malloc(sizeof(char)*rd.len);
+ rd.len = sizeof(uint16_t)*2 + proto_len + 1;
+ data = malloc(sizeof(uint8_t)*rd.len);
if (data == NULL) {
nret = NSS_STATUS_TRYAGAIN;
goto out;
}
- SAFEALIGN_SET_UINT32(data, port, NULL);
+ SAFEALIGN_SET_UINT16(data, port, &p);
/* Padding */
- memset(data + sizeof(uint32_t), 0, 4);
+ SAFEALIGN_SET_UINT16(data + p, 0, &p);
if (protocol) {
- memcpy(data + sizeof(uint32_t)*2, protocol, proto_len + 1);
+ memcpy(data + p, protocol, proto_len + 1);
} else {
/* No protocol specified, pass empty string */
- data[sizeof(uint32_t)*2] = '\0';
+ data[p] = '\0';
}
rd.data = data;
</pre>Jakub Hrozek2012-05-25T12:22:32Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9676
<pre>
Replying to myself, I can confirm that this is working on x86_64 at
least.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T12:12:56Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9675
<pre>
Nack (minor).
Would you mind using SAFEALIGN_SET_UINT16() for the padding? The macro
expands to exactly the same code you have there.
Has this been tested on a little-endian and big-endian system?
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T12:09:06Re: Securing remote domains
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9674
<pre>
Right, this is correct (and is one of the headaches with the libc
interface: the behavior of initgroups() and getgrnam() are not
reciprocal).
Yeah, I think I see the issue here now. If there's an LDAP group with ID
10, and they're a member, initgroups() of that user WILL list 10. So
you're right here.
Ok, I get the gist of this. It's pretty hackish though (and will likely
only work with glibc, which is a problem because we're at least *trying*
to maintain compatibility with any libc in SSSD).
Also, as I originally suspected, I'm pretty sure this code is not going
to work with the new initgroups() semantics added to the last two
releases of glibc.
The core problem here is that this is basically a hack. The libc
interface for initgroups() is intentionally-written to be additive. This
is working around that by suppressing some values if they happen to also
exist locally. It's not a bad solution, necessarily, but it's against
the spirit of the interface.
Basically, the expectation of both SSSD and libc is that if you add a
source for NSS data, it's *authoritative*. As in, you're asserting that
what's in that central database is the correct answer for your
environment. If that's not the case, then it's worth looking into fixing
your central store (which is usually easier than futzing with individual
clients).
Also, there are valid reasons that you might want to extend local groups
from the central server. For example, an application like a database
might use a hard-coded group ID to determine which users can access the
management console. Being able to add users to this list centrally is a
significant advantage.
I'm not sure we want to build a specialized control in SSSD to suppress
IDs that exist in /etc/group. For one thing, it's only a stop-gap
solution, as a client still might have groups added from other NSS
sources that we won't know about.
In recent versions of SSSD (1.7.0 and later), we have added support for
more complex group search base filtering. You can now specify an LDAP
search filter as part of the group search base to specifically eliminate
groups you don't want to make visible to the local machine. For example:
ldap_group_search_base = \
cn=groups,dc=ex,dc=com?subtree?(!(|(gidNumber=10)(gidNumber=11)))
This search base means that we'll look up and use any group in the
cn=groups subtree except for those that have gidNumber 10 or 11.
I don't think that's something we're likely to fix, but you're welcome
to file an RFE. That really sounds like bugs in chown and chgrp. I'd
prefer not to be adding in workarounds for unrelated software.
On the whole, I think we have different concepts about the expectations
of a central identity store. Everything we're discussing here suggests
that you have concerns about trusting your identity store. That says to
me that you're not in control of it, which is a security breach waiting
to happen. I think you need to examine why you are relying on identities
you don't control.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T11:56:57Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9673
<pre>
Attached.
From dbef520242fd60b234c05323598318df1bf98207 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Fri, 25 May 2012 13:52:32 +0200
Subject: [PATCH] Send 16bit protocol numbers from the sss_client
https://fedorahosted.org/sssd/ticket/1348
---
src/responder/nss/nsssrv_services.c | 2 +-
src/sss_client/nss_services.c | 14 ++++++++------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/responder/nss/nsssrv_services.c b/src/responder/nss/nsssrv_services.c
index 2e539f13576d18c97d8c3bff2ced2fd5ed01290f..db8a2ca132b4f47c4d6cd78ce99280486e22f2a0 100644
--- a/src/responder/nss/nsssrv_services.c
+++ b/src/responder/nss/nsssrv_services.c
< at >< at > -1050,7 +1050,7 < at >< at > errno_t parse_getservbyport(TALLOC_CTX *mem_ctx,
SAFEALIGN_COPY_UINT16(&c, body, NULL);
port = ntohs(c);
- port_and_padding_len = 2 * sizeof(uint16_t) + sizeof(uint32_t);
+ port_and_padding_len = 2 * sizeof(uint16_t);
i = port_and_padding_len;
j = 0;
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
index 3f042b4a2a62dbf56b5295e84af8d0371708453a..0c4d3ab969017fb86bd69cc03778b274ee6f54af 100644
--- a/src/sss_client/nss_services.c
+++ b/src/sss_client/nss_services.c
< at >< at > -270,6 +270,7 < at >< at > _nss_sss_getservbyport_r(int port, const char *protocol,
size_t proto_len = 0;
uint8_t *repbuf;
uint8_t *data;
+ size_t p = 0;
size_t replen, len;
enum nss_status nret;
int ret;
< at >< at > -285,23 +286,24 < at >< at > _nss_sss_getservbyport_r(int port, const char *protocol,
}
}
- rd.len = sizeof(uint32_t)*2 + proto_len + 1;
- data = malloc(sizeof(char)*rd.len);
+ rd.len = sizeof(uint16_t)*2 + proto_len + 1;
+ data = malloc(sizeof(uint8_t)*rd.len);
if (data == NULL) {
nret = NSS_STATUS_TRYAGAIN;
goto out;
}
- SAFEALIGN_SET_UINT32(data, port, NULL);
+ SAFEALIGN_SET_UINT16(data, port, &p);
/* Padding */
- memset(data + sizeof(uint32_t), 0, 4);
+ memset(data + p, 0, sizeof(uint16_t));
+ p += sizeof(uint16_t);
if (protocol) {
- memcpy(data + sizeof(uint32_t)*2, protocol, proto_len + 1);
+ memcpy(data + p, protocol, proto_len + 1);
} else {
/* No protocol specified, pass empty string */
- data[sizeof(uint32_t)*2] = '\0';
+ data[p] = '\0';
}
rd.data = data;
</pre>Jakub Hrozek2012-05-25T11:56:58Re: Use variable to control verbosity for things in common directory
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9672
<pre>
This is an ancient ticket. I believe it was originally meant to be for
the unit tests in the ding-libs, so that we could set their verbosity
the same way we do for the tests in SSSD.
It mentions the 'common' directory, which was what ding-libs was before
we split it out.
I think this ticket is no longer valid. This was only really useful for
when SSSD and ding-libs were being built together in the same build
system.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T11:31:35Re: [PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9671
<pre>
No, you're right. The client should only be sending a 16-bit value.
Nack.
Please change the client to send a uint16_t instead.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-25T11:28:06Re: Use variable to control verbosity for things in common directory
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9670
<pre>
The way I read the ticket (although I'm not exactly sure if verbosity
meant debug there..), the ticket was specifically talking about the sss_
command line tools such as sss_useradd (see src/tools/*.c).
Currently the user must specify the debug level with an undocumented
--debug switch. The ticket proposed to also read some environment variable
and set the debug level according to that environment variable.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Jakub Hrozek2012-05-25T10:50:50[PATCH] Use uint32_t to copy the service port
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9669
<pre>The sss_client was copying 32bit port value, but the NSS responder was
reading 16bit port value. This was breaking on Big-Endian machines where
we read "the other 16bits".
By the way, is there a reason to use 32bits in the client in the first
place? IIRC a port number is a 16 bit value..
From eb8a81adfa05cfa8b62291bac0052c4e15124a8e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek-H+wXaHxf7aLQT0dZR+AlfA< at >public.gmane.org>
Date: Fri, 25 May 2012 11:51:11 +0200
Subject: [PATCH] Use uint32_t to copy the service port
---
src/responder/nss/nsssrv_services.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/nss/nsssrv_services.c b/src/responder/nss/nsssrv_services.c
index 2e539f13576d18c97d8c3bff2ced2fd5ed01290f..3a6e1b07866a539b36284446e60b2d507d312275 100644
--- a/src/responder/nss/nsssrv_services.c
+++ b/src/responder/nss/nsssrv_services.c
< at >< at > -1041,13 +1041,13 < at >< at > errno_t parse_getservbyport(TALLOC_CTX *mem_ctx,
errno_t ret;
size_t i, j;
size_t port_and_padding_len;
- uint16_t c, port;
+ uint32_t c, port;
char *protocol;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
/* Copy in the port */
- SAFEALIGN_COPY_UINT16(&c, body, NULL);
+ SAFEALIGN_COPY_UINT32(&c, body, NULL);
port = ntohs(c);
port_and_padding_len = 2 * sizeof(uint16_t) + sizeof(uint32_t);
</pre>Jakub Hrozek2012-05-25T10:46:53Use variable to control verbosity for things in commondirectory
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9668
<pre>
https://fedorahosted.org/sssd/ticket/394
I was reviewing this ticket and talks about a default value to verbosity.
althought i'm not sure if is about the sssd debug level or other case.
If the case of debug level:
Reading theory in
http://sgallagh.fedorapeople.org/sssd/1.8.91/man/sssd.conf.5.html
in section debug_level (integer) mentions that:
"0x0010 is the default value as well as the lowest allowed value"
"0x0010: Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running."
If you want to use a higher debug level is changed in sssd.conf-> debug_level = (desired level is placed).
By not specifying on command line flag, is used the indicated in sssd.conf ->debug_level.
If specified in command line debug_level first uses the command line, this was corrected in the ticket https://fedorahosted.org/sssd/ticket/764
In the case concerned from that, the flag already exists.
util.h
[code]
/** \def DEBUG_IS_SET(level)
\brief checks whether level (must be in new format) is set in debug_level
\param level the debug level, please use one of the SSSDBG*_ macros
*/
#define DEBUG_IS_SET(level) (debug_level & (level))
#define CONVERT_AND_SET_DEBUG_LEVEL(new_value) debug_level = ( \
((new_value) != SSSDBG_INVALID) \
? debug_convert_old_level(new_value) \
: SSSDBG_UNRESOLVED /* Debug level should be loaded from config file. */ \
);
[/code]
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Ariel Barria2012-05-25T05:22:19Re: Securing remote domains
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9667
<pre>Excerpts from Stephen Gallagher's message of Wed May 23 08:12:33 -0400 2012:
Yes, we are in agreement here.
OK, the further case we worry about is as follows: If you call
getpwnam("imposter"), will we get back UID 2000, or will this be rejected?
We do not believe the traditional nsswitch semantics work this way. If you
look at initgroups(), what will happen is that the lookup for groups of a
remote user will fail on the local groups source (/etc/group), and then NSS
will consult the remote source for groups, and initgroups_dyn will add them as
secondary groups for the user. These groups are not normally distinguished
from the normal groups.
It is possible that SSSD has different semantics, but this is not
obvious to us.
Yes, and secondary GIDs have the same problem, unless SSSD does something
dramatically different. I will file this report.
You can access nss_nonlocal from here:
http://debathena.mit.edu/nss_nonlocal/
git://andersk.mit.edu/nss_nonlocal
http://andersk.mit.edu/gitweb/nss_nonlocal.git
It also contains the code for our security checks, so if you're
interested in the precise semantics, I suggest taking a look.
(And yes, we use internal glibc APIs, check nsswitch-internal.h)
Here is another common security concern we are worried about: many programs
(e.g. chown and chgrp, see http://debathena.mit.edu/trac/ticket/367) get
confused if you pass them a numeric username, interpreting it as a UID if it
exists. So nss_nonlocal also rejects remote users which have numeric IDs that
match a local UID, and remote groups that have numeric IDs that match a local
GID.
Cheers,
Edward
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Edward Z. Yang2012-05-25T04:11:47[PATCH] sss_idmap: add support for samba struct dom_sid
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9666
<pre>Hi,
this patch allows us besides other conversions to convert the dom_sid
structure used by samba to strings and back. This structure is used by
various samba libraries, but there are no public inferfaces for the
conversion. I've seen Simo adding code to the IPA kdb plugin doing these
conversions and I need them for the PAC responder as well. So I thought
it might be useful to put it in a library.
bye,
Sumit
From b33d2e0e6cb18a3c90a9b4fda0d4ae7e60136f97 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose< at >redhat.com>
Date: Thu, 24 May 2012 12:39:56 +0200
Subject: [PATCH] sss_idmap: add support for samba struct dom_sid
The samba ndr libraries use struct dom_sid to handle SIDs. Since there
is no public samba library which offers conversion from other
representations, e.g. as string, this is addded to libsss_idmap. There
is only a compile-time dependency to the samba header files to check if
struct dom_sid has the expected format. There is no run-time dependency
to any samba library.
---
Makefile.am | 3 +
configure.ac | 1 +
src/external/dom_sid.m4 | 65 ++++++++++++++
src/lib/idmap/sss_idmap.h | 107 +++++++++++++++++++++++
src/lib/idmap/sss_idmap_conv.c | 183 ++++++++++++++++++++++++++++++++++++++++
src/tests/sss_idmap-tests.c | 104 ++++++++++++++++++++++-
6 files changed, 461 insertions(+), 2 deletions(-)
create mode 100644 src/external/dom_sid.m4
diff --git a/Makefile.am b/Makefile.am
index 7663053..f0aab71 100644
--- a/Makefile.am
+++ b/Makefile.am
< at >< at > -513,6 +513,8 < at >< at > dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc
libsss_idmap_la_SOURCES = \
src/lib/idmap/sss_idmap.c \
src/lib/idmap/sss_idmap_conv.c
+libsss_idmap_la_CFLAGS = \
+ $(NDR_CFLAGS)
libsss_idmap_la_LDFLAGS = \
-version-info 0:1:0
< at >< at > -985,6 +987,7 < at >< at > sss_idmap_tests_SOURCES = \
src/tests/sss_idmap-tests.c
sss_idmap_tests_CFLAGS = \
$(AM_CFLAGS) \
+ $(NDR_CFLAGS) \
$(CHECK_CFLAGS)
sss_idmap_tests_LDADD = \
$(CHECK_LIBS) \
diff --git a/configure.ac b/configure.ac
index 16e10d6..0b0e7b8 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -126,6 +126,7 < at >< at > m4_include([src/external/libkeyutils.m4])
m4_include([src/external/libnl.m4])
m4_include([src/external/systemd.m4])
m4_include([src/external/pac_responder.m4])
+m4_include([src/external/dom_sid.m4])
m4_include([src/util/signal.m4])
WITH_UNICODE_LIB
diff --git a/src/external/dom_sid.m4 b/src/external/dom_sid.m4
new file mode 100644
index 0000000..0088008
--- /dev/null
+++ b/src/external/dom_sid.m4
< at >< at > -0,0 +1,65 < at >< at >
+AC_SUBST(NDR_CFLAGS)
+AC_SUBST(NDR_LIBS)
+PKG_CHECK_MODULES(NDR, ndr,,
+ AC_MSG_ERROR([Cannot check struct dom_sid without ndr header installed]))
+SAVE_CFLAGS=$CFLAGS
+CFLAGS="$CFLAGS $NDR_CFLAGS"
+dnl Since the names of the checked components are used as parts of variable
+dnl names by autoconf it is not possible to use the [] index notation directly.
+dnl As a workaround I used the define apporach below
+AC_CHECK_MEMBERS([struct dom_sid.sid_rev_num,
+ struct dom_sid.num_auths,
+ struct dom_sid.id_auth0,
+ struct dom_sid.id_auth1,
+ struct dom_sid.id_auth2,
+ struct dom_sid.id_auth3,
+ struct dom_sid.id_auth4,
+ struct dom_sid.id_auth5,
+ struct dom_sid.sub_auths0,
+ struct dom_sid.sub_auths1,
+ struct dom_sid.sub_auths2,
+ struct dom_sid.sub_auths3,
+ struct dom_sid.sub_auths4,
+ struct dom_sid.sub_auths5,
+ struct dom_sid.sub_auths6,
+ struct dom_sid.sub_auths7,
+ struct dom_sid.sub_auths8,
+ struct dom_sid.sub_auths9,
+ struct dom_sid.sub_auths10,
+ struct dom_sid.sub_auths11,
+ struct dom_sid.sub_auths12,
+ struct dom_sid.sub_auths13,
+ struct dom_sid.sub_auths14],
+ [AC_DEFINE([HAVE_VALID_DOM_SID],
+ [1],
+ [Define if struct dom_sid has all expected members.])],
+ [AC_MSG_ERROR([struct dom_sid does not has all expected members.])],
+ [[#include <pwd.h>
+ #include <stdbool.h>
+ #include <util/data_blob.h>
+ #include <gen_ndr/security.h>
+ #define id_auth0 id_auth[0]
+ #define id_auth1 id_auth[1]
+ #define id_auth2 id_auth[2]
+ #define id_auth3 id_auth[3]
+ #define id_auth4 id_auth[4]
+ #define id_auth5 id_auth[5]
+ #define sub_auths0 sub_auths[0]
+ #define sub_auths1 sub_auths[1]
+ #define sub_auths2 sub_auths[2]
+ #define sub_auths3 sub_auths[3]
+ #define sub_auths4 sub_auths[4]
+ #define sub_auths5 sub_auths[5]
+ #define sub_auths6 sub_auths[6]
+ #define sub_auths7 sub_auths[7]
+ #define sub_auths8 sub_auths[8]
+ #define sub_auths9 sub_auths[9]
+ #define sub_auths10 sub_auths[10]
+ #define sub_auths11 sub_auths[11]
+ #define sub_auths12 sub_auths[12]
+ #define sub_auths13 sub_auths[13]
+ #define sub_auths14 sub_auths[14]
+ #define sub_auths15 sub_auths[15]
+ ]])
+
+CFLAGS=$SAVE_CFLAGS
diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
index a3ec919..6b7cbe5 100644
--- a/src/lib/idmap/sss_idmap.h
+++ b/src/lib/idmap/sss_idmap.h
< at >< at > -98,6 +98,13 < at >< at > struct sss_dom_sid;
struct sss_idmap_ctx;
/**
+ * Placeholder for Samba's struct dom_sid. Consumers of libsss_idmap should
+ * include an appropriate Samba header file to define struct dom_sid. We use
+ * it here to avoid a hard dependency on Samba devel packages.
+ */
+struct dom_sid;
+
+/**
* < at >brief Initialize idmap context
*
* < at >param[in] alloc_func Function to allocate memory for the context, if
< at >< at > -375,6 +382,106 < at >< at > enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx,
enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const char *sid,
struct sss_dom_sid **dom_sid);
+
+/**
+ * < at >brief Convert SID string to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] sid Zero-terminated string representation of the SID
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const char *sid,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to SID string
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] sid Zero-terminated string representation of the SID,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ char **sid);
+
+/**
+ * < at >brief Convert SID stucture to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] dom_sid SID structure
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ struct sss_dom_sid *dom_sid,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to SID structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] dom_sid SID structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ struct sss_dom_sid **dom_sid);
+
+/**
+ * < at >brief Convert binary SID to Samba dom_sid structure
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] bin_sid Array with the binary SID
+ * < at >param[in] length Size of the array containing the binary SID
+ * < at >param[out] smb_sid Samba dom_sid structure,
+ * must be freed if not needed anymore
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const uint8_t *bin_sid,
+ size_t length,
+ struct dom_sid **smb_sid);
+
+/**
+ * < at >brief Convert Samba dom_sid structure to binary SID
+ *
+ * < at >param[in] ctx Idmap context
+ * < at >param[in] smb_sid Samba dom_sid structure
+ * < at >param[out] bin_sid Array with the binary SID,
+ * must be freed if not needed anymore
+ * < at >param[out] length Size of the array containing the binary SID
+ *
+ * < at >return
+ * - #IDMAP_SID_INVALID: Given SID is invalid
+ * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
+ */
+enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ uint8_t **bin_sid,
+ size_t *length);
/**
* < at >}
*/
diff --git a/src/lib/idmap/sss_idmap_conv.c b/src/lib/idmap/sss_idmap_conv.c
index df96fcc..d74df8c 100644
--- a/src/lib/idmap/sss_idmap_conv.c
+++ b/src/lib/idmap/sss_idmap_conv.c
< at >< at > -31,6 +31,10 < at >< at >
#include "lib/idmap/sss_idmap_private.h"
#include "util/util.h"
+#include <stdbool.h>
+#include <util/data_blob.h>
+#include <gen_ndr/security.h>
+
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
struct sss_dom_sid {
< at >< at > -59,6 +63,7 < at >< at > enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
if (dom_sid == NULL) {
return IDMAP_OUT_OF_MEMORY;
}
+ memset(dom_sid, 0, sizeof(struct sss_dom_sid));
/* Safely copy in the SID revision number */
dom_sid->sid_rev_num = (uint8_t) *(bin_sid + p);
< at >< at > -387,3 +392,181 < at >< at > done:
return err;
}
+
+enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const char *sid,
+ struct dom_sid **_smb_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_sid_to_dom_sid(ctx, sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_smb_sid = smb_sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(smb_sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ char **_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ char *sid = NULL;
+
+ err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_sid = sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ struct sss_dom_sid *dom_sid,
+ struct dom_sid **_smb_sid)
+{
+ struct dom_sid *smb_sid;
+ size_t c;
+
+ smb_sid = ctx->alloc_func(sizeof(struct dom_sid), ctx->alloc_pvt);
+ if (smb_sid == NULL) {
+ return IDMAP_OUT_OF_MEMORY;
+ }
+ memset(smb_sid, 0, sizeof(struct dom_sid));
+
+ smb_sid->sid_rev_num = dom_sid->sid_rev_num;
+ smb_sid->num_auths = dom_sid->num_auths;
+ for (c = 0; c < SID_ID_AUTHS; c++) {
+ smb_sid->id_auth[c] = dom_sid->id_auth[c];
+ }
+ for (c = 0; c < SID_SUB_AUTHS; c++) {
+ smb_sid->sub_auths[c] = dom_sid->sub_auths[c];
+ }
+
+ *_smb_sid = smb_sid;
+
+ return IDMAP_SUCCESS;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ struct sss_dom_sid **_dom_sid)
+{
+ struct sss_dom_sid *dom_sid;
+ size_t c;
+
+ dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt);
+ if (dom_sid == NULL) {
+ return IDMAP_OUT_OF_MEMORY;
+ }
+ memset(dom_sid, 0, sizeof(struct sss_dom_sid));
+
+ dom_sid->sid_rev_num = smb_sid->sid_rev_num;
+ dom_sid->num_auths = smb_sid->num_auths;
+ for (c = 0; c < SID_ID_AUTHS; c++) {
+ dom_sid->id_auth[c] = smb_sid->id_auth[c];
+ }
+ for (c = 0; c < SID_SUB_AUTHS; c++) {
+ dom_sid->sub_auths[c] = smb_sid->sub_auths[c];
+ }
+
+ *_dom_sid = dom_sid;
+
+ return IDMAP_SUCCESS;
+}
+
+enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx,
+ const uint8_t *bin_sid,
+ size_t length,
+ struct dom_sid **_smb_sid)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_bin_sid_to_dom_sid(ctx, bin_sid, length, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_smb_sid = smb_sid;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(smb_sid);
+ }
+
+ return err;
+}
+
+enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
+ struct dom_sid *smb_sid,
+ uint8_t **_bin_sid,
+ size_t *_length)
+{
+ enum idmap_error_code err;
+ struct sss_dom_sid *dom_sid = NULL;
+ uint8_t *bin_sid = NULL;
+ size_t length;
+
+ err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ err = sss_idmap_dom_sid_to_bin_sid(ctx, dom_sid, &bin_sid, &length);
+ if (err != IDMAP_SUCCESS) {
+ goto done;
+ }
+
+ *_bin_sid = bin_sid;
+ *_length = length;
+ err = IDMAP_SUCCESS;
+
+done:
+ talloc_free(dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ talloc_free(bin_sid);
+ }
+
+ return err;
+}
diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
index b821dfc..a7d5f57 100644
--- a/src/tests/sss_idmap-tests.c
+++ b/src/tests/sss_idmap-tests.c
< at >< at > -21,6 +21,9 < at >< at >
*/
#include <check.h>
+#include <stdbool.h>
+#include <util/data_blob.h>
+#include <gen_ndr/security.h>
#include "lib/idmap/sss_idmap.h"
#include "tests/common.h"
< at >< at > -35,6 +38,8 < at >< at > uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15,
0x00};
size_t test_bin_sid_length = sizeof(test_bin_sid);
+struct dom_sid test_smb_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 2127521184, 1604012920, 1887927527, 72713, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
+
struct sss_idmap_ctx *idmap_ctx;
static void *idmap_talloc(size_t size, void *pvt)
< at >< at > -267,7 +272,7 < at >< at > START_TEST(idmap_test_uid2bin_sid)
}
END_TEST
-START_TEST(idmap_test_sid_bin2dom_sid)
+START_TEST(idmap_test_bin_sid2dom_sid)
{
struct sss_dom_sid *dom_sid = NULL;
enum idmap_error_code err;
< at >< at > -357,6 +362,96 < at >< at > START_TEST(idmap_test_bin_sid2sid)
}
END_TEST
+START_TEST(idmap_test_smb_sid2dom_sid)
+{
+ struct sss_dom_sid *dom_sid = NULL;
+ enum idmap_error_code err;
+ struct dom_sid *new_smb_sid = NULL;
+
+ err = sss_idmap_smb_sid_to_dom_sid(idmap_ctx, &test_smb_sid, &dom_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to struct sss_dom_sid.");
+
+ err = sss_idmap_dom_sid_to_smb_sid(idmap_ctx, dom_sid, &new_smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert struct sss_dom_sid to samba dom_sid.");
+
+ fail_unless(memcmp(&test_smb_sid, new_smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid-s do not match.");
+
+ talloc_free(dom_sid);
+ talloc_free(new_smb_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_smb_sid2bin_sid)
+{
+ enum idmap_error_code err;
+ size_t length;
+ uint8_t *bin_sid = NULL;
+
+ err = sss_idmap_smb_sid_to_bin_sid(idmap_ctx, &test_smb_sid,
+ &bin_sid, &length);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to binary sid.");
+ fail_unless(length == test_bin_sid_length,
+ "Size of binary SIDs do not match, got [%d], expected [%d]",
+ length, test_bin_sid_length);
+ fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0,
+ "Binary SIDs do not match.");
+
+ talloc_free(bin_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_bin_sid2smb_sid)
+{
+ enum idmap_error_code err;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_bin_sid_to_smb_sid(idmap_ctx, test_bin_sid,
+ test_bin_sid_length, &smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert binary sid to samba dom_sid.");
+ fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid structs do not match.");
+
+ talloc_free(smb_sid);
+}
+END_TEST
+
+START_TEST(idmap_test_smb_sid2sid)
+{
+ enum idmap_error_code err;
+ char *sid = NULL;
+
+ err = sss_idmap_smb_sid_to_sid(idmap_ctx, &test_smb_sid, &sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert samba dom_sid to sid string.");
+ fail_unless(strcmp(sid, test_sid) == 0, "SID strings do not match, "
+ "expected [%s], get [%s]",
+ test_sid, sid);
+
+ talloc_free(sid);
+}
+END_TEST
+
+START_TEST(idmap_test_sid2smb_sid)
+{
+ enum idmap_error_code err;
+ struct dom_sid *smb_sid = NULL;
+
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, test_sid, &smb_sid);
+ fail_unless(err == IDMAP_SUCCESS,
+ "Failed to convert binary sid to samba dom_sid.");
+ fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0,
+ "Samba dom_sid structs do not match.");
+
+ talloc_free(smb_sid);
+}
+END_TEST
+
+
Suite *idmap_test_suite (void)
{
Suite *s = suite_create ("IDMAP");
< at >< at > -392,10 +487,15 < at >< at > Suite *idmap_test_suite (void)
idmap_ctx_setup,
idmap_ctx_teardown);
- tcase_add_test(tc_conv, idmap_test_sid_bin2dom_sid);
+ tcase_add_test(tc_conv, idmap_test_bin_sid2dom_sid);
tcase_add_test(tc_conv, idmap_test_sid2dom_sid);
tcase_add_test(tc_conv, idmap_test_sid2bin_sid);
tcase_add_test(tc_conv, idmap_test_bin_sid2sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2dom_sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2bin_sid);
+ tcase_add_test(tc_conv, idmap_test_bin_sid2smb_sid);
+ tcase_add_test(tc_conv, idmap_test_smb_sid2sid);
+ tcase_add_test(tc_conv, idmap_test_sid2smb_sid);
suite_add_tcase(s, tc_conv);
</pre>Sumit Bose2012-05-24T13:04:36Re: [PATCH] NSS: Fix segfault when mmap cache cannot be initialized
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9665
<pre>
Pushed to master.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-24T12:32:07Re: sssd & AD frequently disconnecting
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9664
<pre>
https://fedorahosted.org/sssd/ticket/1347
Ondrej had sent me his full logs privately. I found out that the
protocol fallback with SRV queries does not seem to be working once the
query expires.
The workaround is of course to add both protocol families (or rather add
the preferred one for each protocol - _udp for Kerberos and _tcp for
LDAP)
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Jakub Hrozek2012-05-24T12:17:15Re: [PATCH] NSS: Fix segfault when mmap cache cannot be initialized
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9663
<pre>
You're right, you fixed both. I don't know why I didn't see that. Sorry
for the noise.
Ack.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Jakub Hrozek2012-05-24T11:44:12Re: [PATCHES] Support for ghost users
http://permalink.gmane.org/gmane.linux.redhat.sssd.devel/9662
<pre>
Replied privately with confidential data.
_______________________________________________
sssd-devel mailing list
sssd-devel< at >lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
</pre>Stephen Gallagher2012-05-24T11:29:02Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.linux.redhat.sssd.devel