From ftpmaster at ftp-master.debian.org Fri Dec 2 23:56:15 2016 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 02 Dec 2016 23:56:15 +0000 Subject: [Pkg-sssd-devel] Processing of nss-wrapper_1.1.3-1_source.changes Message-ID: nss-wrapper_1.1.3-1_source.changes uploaded successfully to localhost along with the files: nss-wrapper_1.1.3-1.dsc nss-wrapper_1.1.3.orig.tar.gz nss-wrapper_1.1.3-1.debian.tar.gz Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Sat Dec 3 00:04:33 2016 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sat, 03 Dec 2016 00:04:33 +0000 Subject: [Pkg-sssd-devel] nss-wrapper_1.1.3-1_source.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Dec 2016 01:40:21 +0200 Source: nss-wrapper Binary: libnss-wrapper Architecture: source Version: 1.1.3-1 Distribution: unstable Urgency: medium Maintainer: Debian SSSD Team Changed-By: Timo Aaltonen Description: libnss-wrapper - NSS wrapper library Closes: 838445 Changes: nss-wrapper (1.1.3-1) unstable; urgency=medium . * New upstream release. * control: Add versioned build-depends on libcmocka-dev. (Closes: #838445) * control: Use https vcs urls. * control: Bump policy to 3.9.8, no changes. * no-soname.diff: Refreshed. Checksums-Sha1: 163f1726f723c10e5cfaf8a703b022873bb473e6 2081 nss-wrapper_1.1.3-1.dsc bfecb9db37eb3f1016e3ccf19b6eda1027606522 53543 nss-wrapper_1.1.3.orig.tar.gz 6b4801030c796b046a3c979432bb3c2d59c9a7cd 5448 nss-wrapper_1.1.3-1.debian.tar.gz Checksums-Sha256: a54024c2eecdc98413c25205b8108e9a2459bf10cb1b857e87f12ec54026d7b3 2081 nss-wrapper_1.1.3-1.dsc c9b84c14c5bc6948cdad4cbdeefaaf8b471a11ef876535002896779411573aa3 53543 nss-wrapper_1.1.3.orig.tar.gz e378cb6163c075cb9055197c8a75d319eea116bf189eca36b5c9e9d2e0dbe070 5448 nss-wrapper_1.1.3-1.debian.tar.gz Files: 0db49b1825ef37d5219791784974c70f 2081 devel optional nss-wrapper_1.1.3-1.dsc a203fbcfd747bb379e59ccd5c3c00a50 53543 devel optional nss-wrapper_1.1.3.orig.tar.gz 9f20b0c74a2b400370d5c2bccad222f2 5448 devel optional nss-wrapper_1.1.3-1.debian.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYQghXAAoJEMtwMWWoiYTc2tkP/AqK9weLYbXpqGAY1GU3RAda TcOb39nneT/ELO6o5FhvEqsztEZGH2O6T8Qo9bkhX/vjbFFpKqNQVfgOd3U+mg9m PfPqE9ZMWlSSE1/vtyK2/stuPIt0FUc2jJukPlXUBHnf3jWJhwu+K52QaQA9/zP1 LAWaXFkM7NiC6ljC2uuLsj48VbXu5yLI6RFc5GNx6dB43t01lYmIlCfc3w1WgQcw QfvbISZVGY06HCLPU8JYE33lQv5rJDgPXY67czH8qOxr49/5lyLr6PcSmbwPrhQn hftnTPA/EkCjvXx696ncXLB9dAL6U4tS9W/9GAnbglH5Te/HpBK372nGYJ2Gc87p AUtXXaupYSFENgjY+4REuAaWedn3e+PSS5y1mHGS2y0HzJRhKraH4GOxZy8iJw+J aRL8e7MhZ4i+HLJmjn2Cen1CEf9bEG7qHK0lIoAAVa2eVu7MBtAuISY7iQuGpPQU gVP7ENwO0HVfVSEf/nQvB6hNlvAGuSxAjowHLg+nOcrtmv8FLsX7gmecDV4X7uxe oEMNjra18hlcLabd4HBToUrZnKxqVt8cv8VL3qLzMYnAAzv3WneReJUcHipBjiBc FE/a6S706SgukaUnfegL/XsMKRkuszSDsqyZqqEtM4w8nL4WnGTHQ67GW+f/Jrwq rGN99e+dAIz1E6fIXLcL =ckW6 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Sat Dec 3 00:09:03 2016 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 03 Dec 2016 00:09:03 +0000 Subject: [Pkg-sssd-devel] Bug#838445: marked as done (libnss-wrapper: nss-wrapper fails to build on jessie) References: <147444816480.5544.14053851672185435334.reportbug@blue.spectralmud.org> Message-ID: Your message dated Sat, 03 Dec 2016 00:04:33 +0000 with message-id and subject line Bug#838445: fixed in nss-wrapper 1.1.3-1 has caused the Debian Bug report #838445, regarding libnss-wrapper: nss-wrapper fails to build on jessie to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 838445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838445 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Richard James Salts Subject: libnss-wrapper: nss-wrapper fails to build on jessie Date: Wed, 21 Sep 2016 18:56:04 +1000 Size: 2125 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#838445: fixed in nss-wrapper 1.1.3-1 Date: Sat, 03 Dec 2016 00:04:33 +0000 Size: 5268 URL: From noreply at release.debian.org Thu Dec 8 16:39:18 2016 From: noreply at release.debian.org (Debian testing watch) Date: Thu, 08 Dec 2016 16:39:18 +0000 Subject: [Pkg-sssd-devel] nss-wrapper 1.1.3-1 MIGRATED to testing Message-ID: FYI: The status of the nss-wrapper source package in Debian's testing distribution has changed. Previous version: 1.1.2-1 Current version: 1.1.3-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From dh at synoia.com Thu Dec 22 00:41:42 2016 From: dh at synoia.com (Duncan Hare) Date: Wed, 21 Dec 2016 19:41:42 -0500 Subject: [Pkg-sssd-devel] Bug#849033: sssd: RO file system, var in tmpfs, directory sruct correct, sssd fail to write sssd.log Message-ID: <20161222004142.1060.1885.reportbug@raspberrypi> Package: sssd Version: 1.11.7-3 Severity: important -- System Information: Distributor ID: Raspbian Description: Raspbian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie Architecture: armv7l Kernel: Linux 4.4.34-v7+ (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sssd depends on: ii python-sss 1.11.7-3 ii sssd-ad 1.11.7-3 ii sssd-common 1.11.7-3 ii sssd-ipa 1.11.7-3 ii sssd-krb5 1.11.7-3 ii sssd-ldap 1.11.7-3 ii sssd-proxy 1.11.7-3 sssd recommends no packages. sssd suggests no packages. -- debconf-show failed -- Logs begin at Wed 2016-12-21 18:58:14 EST, end at Wed 2016-12-21 19:17:02 EST. -- Dec 21 18:58:21 raspberrypi sssd[334]: Could not open file [/var/log/sssd/sssd.log]. Error: [2][No such file or directory] Dec 21 18:58:21 raspberrypi systemd[1]: sssd.service: control process exited, code=exited status=7 Dec 21 18:58:21 raspberrypi systemd[1]: Failed to start System Security Services Daemon. Dec 21 18:58:21 raspberrypi systemd[1]: Unit sssd.service entered failed state. Dec 21 18:58:21 raspberrypi systemd[1]: Starting User and Group Name Lookups. Dec 21 18:58:21 raspberrypi systemd[1]: Reached target User and Group Name Lookups. /var/log/sssd directory total 4 -rw-rw-rw- 1 root root 0 Dec 21 17:26 sssd_pam.log -rw-rw-rw- 1 root root 0 Dec 21 17:26 sssd_nss.log -rw-rw-rw- 1 root root 496 Dec 21 17:26 sssd.log -rw-rw-rw- 1 root root 0 Dec 21 17:26 sssd_Danum.local.log -rw-rw-rw- 1 root root 0 Dec 21 17:26 ldap_child.log -rw-rw-rw- 1 root root 0 Dec 21 17:26 krb5_child.log Directory populated for prior start of system with rw file system. /var is now a temp fs, with the directoy structure copied in before sssd starts. sssd runnin defaul config. From skupko.sk at gmail.com Thu Dec 29 14:45:02 2016 From: skupko.sk at gmail.com (Peter Viskup) Date: Thu, 29 Dec 2016 15:45:02 +0100 Subject: [Pkg-sssd-devel] Bug#806444: Configuration issue discovered Message-ID: You can close this bug report. Discovered the configuration option "enumerate = true" for domain solved the issue. It is related to LDAP schema rfc2307 (default), which support ldap group membership relation by memberUID attribute of group. In that case the enumeration needs to be enabled to get list of all LDAP groups populated into the cache. Other solution would be to use rfc2307bis schema, which support ldap group membership by user's memberOf attribute. In that case the enumeration should not be needed as the user group membership will be discovered within user information retrieval. Maybe documentation could be improved. -- Peter From brlink at debian.org Fri Dec 30 15:39:10 2016 From: brlink at debian.org (Bernhard R. Link) Date: Fri, 30 Dec 2016 15:39:10 -0000 Subject: [Pkg-sssd-devel] Bug#849756: sssd-ldap fails to connect to ldaps:// due to problem with non-blocking socket Message-ID: Package: sssd-ldap Version: 1.14.2-1 Severity: serious Tags: security Feel free to downgrade the severity, but as this sends passwords in cleartext (though in a case that I hope will never work so not that likely to loose important passwords) and makes me wonder whether this package can work at all with any ldaps server, I guessed it might be a suitable severity. This might be the cause of other "[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]" bug reports, but as this error message is so generic, I'm creating a new bug report. sssd calls ldap_install_tls on a socket without removing and NON_BLOCKING bits from it. This seems to be not supported by the current libldap2-4 version, which returns LDAP_SUCCESS but later fails. Due to the way libldap fails the request is then send unencrypted (within the SSL Stream). Here it usually happens that sssd sends both the "Client Hello" and an "Application Data" block (containing unencryted ldap_default_bind_dn and ldap_default_authtok) before the server can even answer with an hello and the server than sends (depending when the Application data arrives) either with an Unexpected Message Fatal Alert or an Unencrypted Data Alert. (The ldap Server log reports TLS handshake errors, while the on the sssd side one gets "[sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]"). Some example data extracted from the output of wireshark: Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 1, Ack: 1, Len: 150 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 145 Handshake Protocol: Client Hello Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 151, Ack: 1, Len: 140 Secure Sockets Layer TLSv1.2 Record Layer: Application Data Protocol: ldap Content Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 135 Encrypted Application Data: 30818402010160600201030439636e3dxxxxxxxxxxxxxxxx... Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 151, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 291, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1, Ack: 291, Len: 1448 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 53 Handshake Protocol: Server Hello Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 1449, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 1449, Ack: 291, Len: 2648 [2 Reassembled TCP Segments (3389 bytes): #29(1390), #31(1999)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 3384 Handshake Protocol: Certificate Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 527 Handshake Protocol: Server Key Exchange Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 4097, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 4097, Ack: 291, Len: 216 [2 Reassembled TCP Segments (333 bytes): #31(117), #33(216)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 328 Handshake Protocol: Certificate Request Handshake Protocol: Server Hello Done Transmission Control Protocol, Src Port: 47911 (47911), Dst Port: 636 (636), Seq: 291, Ack: 4313, Len: 0 Transmission Control Protocol, Src Port: 636 (636), Dst Port: 47911 (47911), Seq: 4313, Ack: 291, Len: 7 Secure Sockets Layer TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unexpected Message) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message The content of the "Application Data Protocol: ldap" package is plain non-encrypted data (here a bit redacted): 0``9cn=XXXXXXXXXXXXXXXXXXXX,cn=XXXXXXXXXXXXX,cn=XXXX,ou=XXXXX MYPASWORD_______________________01.3.6.1.4.1.42.2.27.8.5.1 As I can see it the cause of this is that in ../openldap-2.4.44+dfsg/libraries/libldap/tls2.c the code is: #ifdef LDAP_USE_NON_BLOCKING_TLS /* * Use non-blocking io during SSL Handshake when a timeout is configured */ if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); tv = ld->ld_options.ldo_tm_net; tv0 = tv; #ifdef HAVE_GETTIMEOFDAY gettimeofday( &start_time_tv, NULL ); #else /* ! HAVE_GETTIMEOFDAY */ time( &start_time_tv.tv_sec ); start_time_tv.tv_usec = 0; #endif /* ! HAVE_GETTIMEOFDAY */ } #endif /* LDAP_USE_NON_BLOCKING_TLS */ ld->ld_errno = LDAP_SUCCESS; ret = ldap_int_tls_connect( ld, conn ); #ifdef LDAP_USE_NON_BLOCKING_TLS while ( ret > 0 ) { /* this should only happen for non-blocking io */ [shortened to make it more readable] } #endif /* LDAP_USE_NON_BLOCKING_TLS */ if ( ret < 0 ) { if ( ld->ld_errno == LDAP_SUCCESS ) ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; } } return LDAP_SUCCESS; } i.e. libldap expect that if it does not set the fd non-blocking, ldap_int_tls_connect will not return > 0 (which it does if gnutls_handshare returns GNUTLS_E_AGAIN). (and the only place LDAP_USE_NON_BLOCKING_TLS is defined is: #ifdef LDAP_DEVEL #define LDAP_USE_NON_BLOCKING_TLS #endif /* LDAP_DEVEL */ earlier in the same file. Running sssd in an debugger shows that the code is not compiled in (i.e. it is not defined as expected)) The test of sssd with the problem was done with libldap-2.4-2 version 2.4.44+dfsg-2 and libgnutls30 version 3.5.7-3.