sssd.git/src/sysv, branch sssctl Unnamed repository; edit this file 'description' to name the repository. KCM: Fix Description of sssd-kcm.socket 2017-07-25T09:30:58+00:00 Jakub Hrozek jhrozek@redhat.com 2017-07-25T08:46:16+00:00 4b4603fb80df5312c6d72ce13219e2d740a48b68 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
KCM: Initial responder build and packaging 2017-03-27T07:56:19+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-01T10:52:07+00:00 b9c563c29243291f40489bb0dcbf3946fca72d58 Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Adds the initial build of the Kerberos Cache Manager responder (KCM).

This is a deamon that is capable of holding and storing Kerberos
ccaches. When KCM is used, the kerberos libraries (invoked through e.g.
kinit) are referred to as a 'client' and the KCM deamon is referred to
as 'server'.

At the moment, only the Heimdal implementation of Kerberos implements the
KCM server:
    https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html
This patch adds a KCM server to SSSD.

In MIT, only the 'client-side' support was added:
    http://k5wiki.kerberos.org/wiki/Projects/KCM_client
This page also describes the protocol between the client and the server.

The client is capable of talking to the server over either UNIX sockets
(Linux, most Unixes) or Mach RPC (macOS). Our server only implements the
UNIX sockets way and should be socket-activated by systemd, although can
in theory be also ran explicitly.

The KCM server only builds if the configuration option "--with-kcm" is
enabled. It is packaged in a new subpackage sssd-kcm in order to allow
distributions to enable the KCM credential caches by installing this
subpackage only, without the rest of the SSSD. The sssd-kcm subpackage
also includes a krb5.conf.d snippet that allows the admin to just uncomment
the KCM defaults and instructs them to start the socket.

The server can be configured in sssd.conf in the "[kcm]" section.
By default, the server only listens on the same socket path the Heimdal
server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is,
however, configurable.

The file src/responder/kcm/kcm.h is more or less directly imported from
the MIT Kerberos tree, with an additional sentinel code and some
comments. Not all KCM operations are implemented, only those that also
the MIT client implements. That said, this KCM server should also be
usable with a Heimdal client, although no special testing was with this
hybrid.

The patch also adds several error codes that will be used in later
patches.

Related to:
    https://pagure.io/SSSD/sssd/issue/2887

Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
NSS: Don't call chown on NSS service's ExecStartPre 2017-03-15T15:01:48+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-15T13:21:36+00:00 ecaf0bb271812c3af3e5916f14da0e37d26994d2 The sssd-nss.service attempts to chown its log file to ensure it has the correct owner. Unfortunately, when this happens, it enters in a loop trying to call into the name-service switch and hangs forever. For now the approach taken is to just remove the ExecStartPre from the NSS service. Resolves: https://pagure.io/SSSD/sssd/issue/3322 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The sssd-nss.service attempts to chown its log file to ensure it has the
correct owner. Unfortunately, when this happens, it enters in a loop
trying to call into the name-service switch and hangs forever.

For now the approach taken is to just remove the ExecStartPre from the
NSS service.

Resolves:
https://pagure.io/SSSD/sssd/issue/3322

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NSS: Ensure the NSS socket is started before any other services' sockets 2017-03-15T15:01:41+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-13T16:35:03+00:00 e19327b3b06e723e5162f0c91cb77ba254bb3dc7 Although I didn't have any problem with this before I'd like to ensure that the NSS socket is always up _before_ any other (SSSD) services' sockets as they may trigger initgroups calls as some of them have SocketUser and SocketGroup set to the "sssd" user. Related: https://pagure.io/SSSD/sssd/issue/3322 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Although I didn't have any problem with this before I'd like to ensure
that the NSS socket is always up _before_ any other (SSSD) services'
sockets as they may trigger initgroups calls as some of them have
SocketUser and SocketGroup set to the "sssd" user.

Related:
https://pagure.io/SSSD/sssd/issue/3322

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NSS: Don't set SocketUser/SocketGroup as "sssd" in sssd-nss.socket 2017-03-15T15:01:34+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-13T16:06:04+00:00 b7430c4f4b98efe08d9d13d202fbb76229628b30 NSS service is always run as root, so there's no need to change its socket ownership to the sssd user. More than that, by setting up the SocketUser and SocketGroup to "sssd" a loop would be caused as the "sssd" would trigger an initgroups call during the NSS socket setup. The problem was found when starting up a machine with SSSD built with "--with-sssd-user=sssd" and having "sss" before "files" in the name-service switch. Related: https://pagure.io/SSSD/sssd/issue/3322 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
NSS service is always run as root, so there's no need to change its
socket ownership to the sssd user.

More than that, by setting up the SocketUser and SocketGroup to "sssd"
a loop would be caused as the "sssd" would trigger an initgroups call
during the NSS socket setup.

The problem was found when starting up a machine with SSSD built with
"--with-sssd-user=sssd" and having "sss" before "files" in the
name-service switch.

Related:
https://pagure.io/SSSD/sssd/issue/3322

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Allow manual start for sssd-ifp 2017-03-08T17:08:38+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-08T11:15:01+00:00 87ca3fda3e6da4df4f4886ca6768fbc01201e26f This change is needed so that the InfoPipe responder can be socket activated. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
This change is needed so that the InfoPipe responder can be socket
activated.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
SYSTEMD: Force responders to refuse manual start 2017-03-02T15:51:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-05T20:38:57+00:00 e0ca21d9f899c60cc50030c6ae793c48e92b5b7f As the responders will either be explicitly started by the monitor or {dbus,socket}-activated, let's force them to refuse manual start, being a little bit restricter on our side. Resolves: https://pagure.io/SSSD/sssd/issue/3300 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As the responders will either be explicitly started by the monitor or
{dbus,socket}-activated, let's force them to refuse manual start, being
a little bit restricter on our side.

Resolves:
https://pagure.io/SSSD/sssd/issue/3300

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SYSTEMD: Don't mix up responders' socket and monitor activation 2017-03-02T15:46:23+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-12T21:20:26+00:00 9c0c83eecf963416effee67dab55711234373fde Let's ensure that in case a responder is explicitly configured in the sssd.conf its socket won't even start. The patchset introduces a new binary that will be distributed and will be called before starting the responders' sockets, ensuring the sockets will only start in case the responder is supposed to be socket-activated and its been configured accordingly. Otherwise the responders' socket startup will fail with a quite helpful debug message leading the admins to choose between using systemd or not and what has to be done to achieve their desire. This suggestion came from Sumit Bose. The reason for adding a new binary instead of a simple python script is to avoid dragging unnecessary dependencies to sssd-common package. Resolves: https://pagure.io/SSSD/sssd/issue/3300 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Let's ensure that in case a responder is explicitly configured in the
sssd.conf its socket won't even start.

The patchset introduces a new binary that will be distributed and will
be called before starting the responders' sockets, ensuring the sockets
will only start in case the responder is supposed to be socket-activated
and its been configured accordingly. Otherwise the responders' socket
startup will fail with a quite helpful debug message leading the admins
to choose between using systemd or not and what has to be done to achieve
their desire.

This suggestion came from Sumit Bose.

The reason for adding a new binary instead of a simple python script is
to avoid dragging unnecessary dependencies to sssd-common package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3300

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SYSTEMD: Avoid starting a responder socket in case SSSD is not started 2017-03-01T11:03:03+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-06T18:05:29+00:00 bd5e09bad2b0ac8a7ca78f45d90c8ebb903efaa3 As systemd adds "Before=sockets.target" to any socket unit by default, during the startup of the system we can end up having a responder socket up, being contacted while SSSD is shutdown. By using "DefaultDependencies=no" we ensure that sockets.target won't trigger the sockets' startup and that it only will be done when SSSD is up. The downside of using "DefaultDependencies=no" is that we have to deal with conflicts and add "Conflicts=shutdown.target" to each of the sockets unit. This patch has been suggested by Lukáš Nykrýn. Related: https://pagure.io/SSSD/sssd/issue/3298 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As systemd adds "Before=sockets.target" to any socket unit by default,
during the startup of the system we can end up having a responder socket
up, being contacted while SSSD is shutdown.

By using "DefaultDependencies=no" we ensure that sockets.target won't
trigger the sockets' startup and that it only will be done when SSSD is
up. The downside of using "DefaultDependencies=no" is that we have to
deal with conflicts and add "Conflicts=shutdown.target" to each of the
sockets unit.

This patch has been suggested by Lukáš Nykrýn.

Related:
https://pagure.io/SSSD/sssd/issue/3298

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SYSTEMD: Add "After=sssd.service" to the responders' sockets units 2017-03-01T11:02:56+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-04T17:12:22+00:00 0adcf95a423155f9c9d8062af42561402ceab4cc While debugging the whole breakage reported by Stric I've noticed that the NSS socket has been starting up the NSS responder _before_ SSSD being up. As libc does initgroups on pretty much any account and initgroups checks all NSS modules in order to be precise, the nss_sss triggers the NSS responder which would try talking to the data providers which are not up uet (because SSSD is not up yet), causing the whole process to hang until libc gives up (causing a timeout on services like systemd-logind and on services depending on this one). By adding this ordering explicitly we can avoid the reported situation. Also, it has been recommend by Lukáš Nykrýn that "BindsTo", which is used to tie up two services, and After must be used together in order to avoid undefined/unexpected behavior (although it's still not mentioned in the systemd documentation). Related: https://pagure.io/SSSD/sssd/issue/3298 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
While debugging the whole breakage reported by Stric I've noticed that
the NSS socket has been starting up the NSS responder _before_ SSSD
being up. As libc does initgroups on pretty much any account and
initgroups checks all NSS modules in order to be precise, the nss_sss
triggers the NSS responder which would try talking to the data providers
which are not up uet (because SSSD is not up yet), causing the whole
process to hang until libc gives up (causing a timeout on services like
systemd-logind and on services depending on this one).

By adding this ordering explicitly we can avoid the reported situation.
Also, it has been recommend by Lukáš Nykrýn that "BindsTo", which is
used to tie up two services, and After must be used together in order to
avoid undefined/unexpected behavior (although it's still not mentioned
in the systemd documentation).

Related:
https://pagure.io/SSSD/sssd/issue/3298

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>