Catch up with C8S. #7700
Open
Catch up with C8S. #7700
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves: SSSD#7173 Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 945cebc) (cherry picked from commit dd0f632)
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: SSSD#5708 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 29a77c6) (cherry picked from commit a7621a5)
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: SSSD#5708 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit a153f13) (cherry picked from commit 6a8e60d)
While introducing the local_auth_policy option a quite specific use-case was not covered correctly. If there are multiple matching certificates on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard mode was used for login, i.e. there is no user name given and the user has to be derived from the certificate used for login, authentication failed. The main reason for the failure is that in this case the Smartcard interaction and the user mapping has to be done first to determine the user before local_auth_policy is evaluated. As a result when checking if the authentication can be finished the request was in an unexpected state because the indicator for local Smartcard authentication was not enabled. Resolves: SSSD#7109 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Scott Poore <[email protected]> (cherry picked from commit 44ec3e4) (cherry picked from commit 50077c3)
Currently after the evaluation of a single GPO file the intermediate results are stored in the cache and this cache entry is updated until all applicable GPO files are evaluated. Finally the data in the cache is used to make the decision of access is granted or rejected. If there are two or more access-control request running in parallel one request might overwrite the cache object with intermediate data while another request reads the cached data for the access decision and as a result will do this decision based on intermediate data. To avoid this the intermediate results are not stored in the cache anymore but in hash tables which are specific to the request. Only the final result is written to the cache to have it available for offline authentication. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit d7db797) (cherry picked from commit e1bfbc2)
If the domain object of the forest root domain cannot be found in the LDAP tree of the local AD domain SSSD tries to read the request data from an LDAP server of the forest root domain directly. After reading this data the information is stored in the cache but currently the information about the domain store in memory is not updated with the additional data. As a result e.g. the domain SID is missing in this data and only becomes available after a restart where it is read from the cache. With this patch an unconditional refresh is triggered at the end of the fallback code path. Resolves: SSSD#7250 Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Tomáš Halman <[email protected]> (cherry picked from commit 0de6c33) (cherry picked from commit db27a51)
This was previously hardcoded to 31 seconds (hardcoded retry_timout + 1). This may be too short period under some circumstances. When we retry primary server we drop connection to the backup server and if the primary server is not yet available (and there are many unavailable primary servers) we may go through a long timeout cycle every half minute. This patch makes the value configurable. :config: Added `failover_primary_timout` configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value. Resolves: SSSD#7375 Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> (cherry picked from commit e9738e3) (cherry picked from commit 14f32f6)
alexey-tikhonov
force-pushed
the
catch-up-with-c8s
branch
from
c1bc280
to
f5bfcb9
Compare
Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit ea2d0aa)
alexey-tikhonov
added
Accepted
Ready to push
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.