SSSD / docs

Clone
Source Code
GIT

#53 Fix spelling mistakes; fix 2 links
Merged 6 years ago by lslebodn. Opened 6 years ago by sobek.
SSSD/ sobek/docs fix-spelling-mistakes  into  master

file modified
+2 -2 
@@ -435,7 +435,7 @@ 
 

  -  **ADD** **method** FindGroupByIdInDomain(String domain, Int64 id)
 

  

     -  *id*: the group's GID
 

-    -  *domain*: the groups's domain name
 

+    -  *domain*: the group's domain name
 

     -  returns: Path *group*: the path for the group object
 

     -  Error *org.freedesktop.Accounts.Error.Failed*: no such group
 

        exists
 
@@ -451,7 +451,7 @@ 
 

     name)
 

  

     -  *name*: the group's name
 

-    -  *domain*: the groups's domain name.
 

+    -  *domain*: the group's domain name.
 

     -  returns: Path *group*: the path for the group object
 

     -  Error *org.freedesktop.Accounts.Error.Failed*: no such group
 

        exists

file modified
+6 -6 
@@ -20,7 +20,7 @@ 
 

  Problem Statement
 

  -----------------
 

  

- The recommended way of connecting a Linux client to an Active Directory
 

+ The recommended way of connecting a GNU/Linux client to an Active Directory
 

  domain is using the `AD
 

  provider <http://jhrozek.fedorapeople.org/sssd/1.11.0/man/sssd-ad.5.html>`__.
 

  However, in the default configuration of the Active Directory provider,
 
@@ -38,7 +38,7 @@ 
 

  ------------------------------
 

  

  With the existing SSSD, the administrator has two basic means to
 

- restrict access control to the Linux client - using the `simple access
 

+ restrict access control to the GNU/Linux client - using the `simple access
 

  control
 

  provider <http://jhrozek.fedorapeople.org/sssd/1.11.0/man/sssd-simple.5.html>`__
 

  or configuring the LDAP access control provider. Each approach has its
 
@@ -67,7 +67,7 @@ 
 

  -  Cons:
 

  

     -  Account expiration is not checked
 

-    -  Limited expresiveness. No way to combine several clauses
 

+    -  Limited expressiveness. No way to combine several clauses
 

     -  Does not align with the LDAP structure the Active Directory uses
 

  

  Using the LDAP access provider
 
@@ -118,13 +118,13 @@ 
 

  The proposal is to add a new access filter configuration option to the
 

  existing AD access provider. Adding the option to the AD provider would
 

  greatly simplify the configuration when compared to the LDAP access
 

- control, while maintaining the full expresiveness of
 

+ control, while maintaining the full expressiveness of
 

  ``ldap_access_filter``. The new option would be called
 

  ``ad_access_filter``. If the new option was set, then the AD access
 

  provider would first match the entry against the filter in that option.
 

  If the entry matched, then the account would be checked for expiration.
 

  

- The following exapmple illustrates an example similar to the one above,
 

+ The following example illustrates an example similar to the one above,
 

  using the proposed AD options: ::
 

  

          access_provider = ad
 
@@ -260,7 +260,7 @@ 
 

        denied access
 

     -  this test must include users from the primary domain as well as a
 

        sub domain
 

-    -  Different filters should be tested to make sure the most speficic
 

+    -  Different filters should be tested to make sure the most specific
 

        filter applies
 

  

        -  example: add a restrictive filter for dom1 and permissive

file modified
+2 -2 
@@ -82,7 +82,7 @@ 
 

  

  -  the computer is restarted
 

  -  the DHCP lease is renewed
 

- -  periodicaly every 24 hours by default
 

+ -  periodically every 24 hours by default
 

  

     -  this is configurable in the windows registry using the
 

        ``DefaultRegistrationRefreshInterval`` key under the
 
@@ -305,7 +305,7 @@ 
 

        -  The other client's DNS records should remain intact in the DNS
 

           MMC console
 

  

- Links and recources
 

+ Links and resources
 

  -------------------
 

  

  -  `Understanding aging and

file modified
+1 -1 
@@ -17,7 +17,7 @@ 
 

  ---------
 

  

  The site discovery relies on client being part of subnet. It is not
 

- always practical or even possible to assign Linux machines to the right
 

+ always practical or even possible to assign GNU/Linux machines to the right
 

  subnet. Still, these clients should be able to leverage the nearest AD
 

  site, even at the expense of manual configuration in ``sssd.conf``.

file modified
+15 -15 
@@ -37,7 +37,7 @@ 
 

  interactive, remote interactive) and consisting of a whitelist [and
 

  blacklist] of users and groups that are allowed [or denied] access to
 

  the computer using the set's logon method. In order to integrate Windows
 

- Logon Rights into a Linux environment, we allow pam service names to be
 

+ Logon Rights into a GNU/Linux environment, we allow pam service names to be
 

  mapped to a specific Logon Right. We provide default mappings for all of
 

  the commonly used pam service names, but we also allow the admin to
 

  add/remove mappings as needed (to support custom pam service names, for
 
@@ -108,11 +108,11 @@ 
 

     that contain the "Security Settings" CSE, which it feeds, one by one,
 

     to the SMB/CIFS Engine
 

  -  SMB/CIFS Engine: makes blocking libsmbclient calls to retrieve each
 

-    GPO's GPT.INI and GptTmpl.inf files, and stores the files in the gpo
 

+    GPO's GPT.INI and GptTmpl.inf files, and stores the files in the GPO
 

     cache (/var/lib/sss/gpo\_cache), from which the GPO Enforcement
 

     Engine will retrieve them
 

  -  GPO Enforcement Engine: enforces GPO-based access control by
 

-    retrieving each GPO's policy file (GptTmpl.inf) from the gpo cache,
 

+    retrieving each GPO's policy file (GptTmpl.inf) from the GPO cache,
 

     parsing it, and making an access control decision by comparing the
 

     user/groups against the whitelist/blacklist of the Logon Right of
 

     interest (which is based on the pam service name)
 
@@ -135,7 +135,7 @@ 
 

  can be set to "disabled" (neither evaluated nor enforced), "enforcing"
 

  (evaluated and enforced), or "permissive" (evaluated, but not
 

  enforced).The "permissive" value is the default, primarily to facilitate
 

- a smooth transition for administrators; it evalutes the gpo-based access
 

+ a smooth transition for administrators; it evaluates the GPO-based access
 

  control rules and outputs a syslog message if access would have been
 

  denied. By examining the logs, administrators can then make the
 

  necessary changes before setting the mode to "enforcing".
 
@@ -186,7 +186,7 @@ 
 

        there is no cached version)
 

  

        -  Retrieves the policy file corresponding to the GPO
 

-          (GptTmpl.inf) and saves it to the gpo cache
 

+          (GptTmpl.inf) and saves it to the GPO cache
 

           (/var/lib/sss/gpo\_cache)
 

        -  Returns the fresh version to the backend, which stores it in
 

           the cache
 
@@ -201,7 +201,7 @@ 
 

     -  For each GPO
 

  

        -  Retrieves GPO's corresponding policy file (i.e. GptTmpl.inf)
 

-          file from gpo cache
 

+          file from GPO cache
 

        -  Parses policy file, extracting entries corresponding to the
 

           Logon Right of interest (determined by the pam service name)
 

        -  Enforces access control policy settings
 
@@ -247,9 +247,9 @@ 
 

  implementation, we should keep in mind that user-based GPOs could have a
 

  different refresh interval. As such, we would need to add a new
 

  configuration option ("computer\_gpo\_refresh\_interval") to the
 

- existing AD access provider that would specify the gpo retrieval refresh
 

+ existing AD access provider that would specify the GPO retrieval refresh
 

  interval in seconds. This would specify the period to use in the
 

- periodic task API to determine how often to call the gpo retrieval code.
 

+ periodic task API to determine how often to call the GPO retrieval code.
 

  By default, Microsoft sets this value to 90 minutes. It is an open issue
 

  as to whether we want to support the random offset interval or the
 

  ability to disable refresh altogether.
 
@@ -279,7 +279,7 @@ 
 

     retrieval takes place when returning to online mode from offline
 

     mode. This really depends on what we decide about the first two
 

     retrieval times above. If we aren't doing periodic refresh, and are
 

-    only retrieving gpo's at login time, then an online callback might
 

+    only retrieving GPOs at login time, then an online callback might
 

     not be needed. If we are doing periodic refresh, then we can set the
 

     "offline" parameter of be\_ptask\_create(...) to DISABLE (which means
 

     the task is disabled immediately when back end goes offline and then
 
@@ -298,7 +298,7 @@ 
 

     do here? If we wanted to log out the user, do we have an existing
 

     mechanism to do this?
 

  

- If we implement gpo refresh, which of the refresh configuration options
 

+ If we implement GPO refresh, which of the refresh configuration options
 

  should we implement and how?
 

  

  -  sssd configuration options
 
@@ -311,16 +311,16 @@ 
 

     -  disable\_gpo\_refresh (default false)? Presumably, this would be
 

        done so that performance would not be adversely affected during
 

        the logon session. Alternatively, we could tell admins that wanted
 

-       to disable gpo refresh to set the
 

+       to disable GPO refresh to set the
 

        entry\_cache\_computer\_gpo\_timeout to zero (0), although this
 

        would not be how Microsoft interprets a zero value. Does sssd
 

        interpret '0' as "disable" elsewhere?
 

  

- -  gpo refresh interval GPO
 

+ -  GPO refresh interval GPO
 

  

     -  if we didn't want to clutter sssd's configuration namespace, we
 

        could just use the standard Microsoft GPO that allows an admin to
 

-       specify the aforementioend refresh intervals (and distribute a
 

+       specify the aforementioned refresh intervals (and distribute a
 

        consistent configuration to a set of computers)
 

  

  Options
 
@@ -357,7 +357,7 @@ 
 

     -  suffers performance hit at initial startup and then periodically
 

     -  policy data likely to be stale
 

     -  requires implementation of periodic refresh, including refresh
 

-       configuration (for which we should probably use gpo refresh GPO)
 

+       configuration (for which we should probably use GPO refresh GPO)
 

  

  Recommendation
 

  --------------
 
@@ -459,7 +459,7 @@ 
 

  

  -  Test ad\_gpo\_cache\_timeout config option
 

  

-    -  perform standard test with a sysdb cache with no gpo entries (or a
 

+    -  perform standard test with a sysdb cache with no GPO entries (or a
 

        clean sysdb cache)
 

     -  make a change to a GPO policy setting so that the
 

        sysvol\_gpt\_version is incremented

file modified
+1 -1 
@@ -76,7 +76,7 @@ 
 

  

  In other words, there will be 3 settings:
 

  

- **Mimimum** number of worker processes **running**.
 

+ **Minimum** number of worker processes **running**.
 

  

  **Maximum** number of worker processes **running**.

file modified
+8 -8 
@@ -10,7 +10,7 @@ 
 

  Autofs is able to look up maps stored in LDAP. However, autofs does all
 

  the lookups on its own. Even though autofs uses the ``nsswitch.conf``
 

  configuration file, there is no glibc interface such as those for
 

- retreiving users and groups and by extension no nscd caching.
 

+ retrieving users and groups and by extension no nscd caching.
 

  

  The benefits of the integration would be:
 

  
@@ -50,7 +50,7 @@ 
 

  

  The lookup modules are named ``<autofs library dir>/lookup_<source>.so``
 

  where ``<source>`` is the source name from the "automount:" line of
 

- ``/etc/nssswitch.conf``. So the SSSD lookup module would be named
 

+ ``/etc/nsswitch.conf``. So the SSSD lookup module would be named
 

  ``lookup_sss.so`` and selected in nsswitch.conf with the directive
 

  ``automount: files sss`` (to allow for local client overrides) or just
 

  ``automount: sss``.
 
@@ -66,7 +66,7 @@ 
 

  The API provided by SSSD
 

  ------------------------
 

  

- The SSSD API would live in libnsss\_sss.so. That means polluting the
 

+ The SSSD API would live in libnss\_sss.so. That means polluting the
 

  library a little with functions that are not strictly
 

  name-service-switch related, but would allow us to reuse a fair amount
 

  of code and talk to the NSS responder socket easily.
 
@@ -213,8 +213,8 @@ 
 

  ^^^^^^^^^^^^^^^^^^^^^
 

  

  With user/group lookups, the domain can be specified by using a
 

- "fully-qualified-name", for example getent passwd
 

- `jhrozek@redhat.com <mailto:jhrozek@redhat.com>`__. We should support
 

+ "fully-qualified-name", for example ``getent passwd
 

+ jhrozek@redhat.com``. We should support
 

  something similar with autofs. However, maps can include any characters
 

  that are valid for filesystem path names, including '@', so there's a
 

  potential conflict.
 
@@ -225,11 +225,11 @@ 
 

  -  FQDN requests will be allowed by default, but not required unless
 

     ``use_fully_qualified_names`` is set to TRUE
 

  -  The FQDN name-domain separator is @ by default, but SSSD allows it to
 

-    be configurable even in the current using the ``re_expression``
 

+    be configurable even in the current version using the ``re_expression``
 

     parameter.
 

  

- Future and miscellanous work
 

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ Future and miscellaneous work
 

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

  

  The first iteration will aim at providing a working autofs integration
 

  for generic LDAP servers. There is a number of tasks that might not make

file modified
+1 -1 
@@ -51,7 +51,7 @@ 
 

     will be used by all.
 

  

  2. A secondary implementation method that provides a DNS domain and the
 

-    request to resolve SRV records instead of (or in addtion to)
 

+    request to resolve SRV records instead of (or in addition to)
 

     providing a list of servers:services. The helper will decide when it
 

     is time to refresh the SRV list.

file modified
+1 -1 
@@ -33,7 +33,7 @@ 
 

  ----------------------
 

  A more technical extension of the previous section. Might include low-level
 

  details, such as C structures, function synopsis etc. In case of very
 

- trivial features (e.g a new option), this section can be merged with the
 

+ trivial features (e.g. a new option), this section can be merged with the
 

  previous one.
 

  

  Configuration changes

file modified
+2 -2 
@@ -45,7 +45,7 @@ 
 

  

  -  Config validation
 

  

-    -  prerequisity: have a common definition of options and autogenerate
 

+    -  prerequisite: have a common definition of options and autogenerate
 

        the rest
 

  

        -  Autogenerate dp\_opts, man pages and configAPI sources from a
 
@@ -77,7 +77,7 @@ 
 

  

  A more technical extension of the previous section. Might include
 

  low-level details, such as C structures, function synopsis etc. In case
 

- of very trivial features (e.g a new option), this section can be merged
 

+ of very trivial features (e.g. a new option), this section can be merged
 

  with the previous one.
 

  

  Configuration changes

file modified
+10 -10 
@@ -11,7 +11,7 @@ 
 

  -----------------
 

  

  Current state of data provider interface is not extensible enough to
 

- fulfil needs of planned SSSD features such as `SSSD Status Tool
 

+ fulfill needs of planned SSSD features such as `SSSD Status Tool
 

  <https://docs.pagure.org/SSSD.sssd/design_pages/sssctl.html>`__.
 

  The main flaw that we aim to solve is to simplify adding of new methods,
 

  properties and possibly signals using our *sbus* interface. As a side
 
@@ -117,7 +117,7 @@ 
 

  -  make adding a new target automated and error proof
 

  -  make adding a new method automated and error proof
 

  -  create a proper talloc hierarchy so we can control clean up process
 

- -  support module's contructor and private data shared across target's
 

+ -  support module's constructor and private data shared across target's
 

     initialization functions
 

  -  make method handlers pure tevent requests that returns single error
 

     code
 
@@ -141,7 +141,7 @@ 
 

  process parameters and *create a data provider request*. This request
 

  will call a data provider method handler which is a basic **tevent
 

  request**. When the request is finished, data provider tevent callback
 

- is invoked and it send a reply back to the responder. Depenging on the
 

+ is invoked and it send a reply back to the responder. Depending on the
 

  request result the reply message may be either error, sending an error
 

  code and message, or success where a default or *custom \_recv* function
 

  may be called to obtain and send additional attributes.
 
@@ -156,7 +156,7 @@ 
 

      ... asynchronous processing ...
 

  

      (tevent done) -> (dp request done) -> (error detected) -> (dbus error) -> Responder
 

-                                        -> (success)        -> (recive callback) -> (dbus) -> Reponder
 

+                                        -> (success)        -> (receive callback) -> (dbus) -> Responder
 

  

  Data Provider Initialization
 

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -164,7 +164,7 @@ 
 

  This section describes what is needed to initialize data provider. It
 

  talks only about sections that may change in the future in order to
 

  extend SSSD's functionality, it does not describe how it works under the
 

- hood. The initializion basically consist of these steps:
 

+ hood. The initialization basically consist of these steps:
 

  

  **1. Initialization of data provider modules and targets**
 

  
@@ -224,8 +224,8 @@ 
 

  #. Add new method (or interface) into data provider introspection file
 

     **dp\_iface.xml**
 

  #. Register this interface or method in **dp\_iface.c** by providing the
 

-    interface structure generated from the instrospection file and
 

-    ammending **dp\_map** array
 

+    interface structure generated from the introspection file and
 

+    amending **dp\_map** array
 

  #. (optionally if needed) Add new data provider method and/or target
 

     into **enum dp\_methods** and **enum dp\_targets** respectively
 

  #. Implement the method handler
 
@@ -305,7 +305,7 @@ 
 

  All parameters except memory context are combined into one structure to
 

  simplify possible future extensions (thus when a new parameter needs to
 

  be added we don't have to modify existing handler). The *data* in
 

- recieve function may be used to pass output parameters into the D-Bus
 

+ receive function may be used to pass output parameters into the D-Bus
 

  reply. For example, the following reply callback simulates current reply
 

  message which returns major and minor error together with error message. ::
 

  
@@ -343,7 +343,7 @@ 
 

  ~~~~~~~~~~~~~~~~~~~
 

  

  The memory hierarchy is known strictly specified and should not be
 

- broken. It gives us the ability to cleary clean up all data provider
 

+ broken. It gives us the ability to clearly clean up all data provider
 

  data on SSSD exit. ::
 

  

                                     struct be_ctx
 
@@ -402,7 +402,7 @@ 
 

  a special message prefix: **DP Request [$name #$index]**. The $name is
 

  the name of the request (i.e. which method was called), $index is a
 

  cyclic number assigned to the request. When we run out of number we
 

- siply start from 1 again.
 

+ simply start from 1 again.
 

  

  In the debugger we can monitor active data provider request, clients,
 

  modules and targets in **be\_ctx->provider**.

file modified
+3 -3 
@@ -87,11 +87,11 @@ 
 

  

  -  **property** Uint32 min\_id
 

  

-    -  Minimum uid and gid value for this domain
 

+    -  Minimum UID and GID value for this domain
 

  

  -  **property** Uint32 max\_id
 

  

-    -  Maximum uid and gid value for this domain
 

+    -  Maximum UID and GID value for this domain
 

  

  -  **property** String realm
 

  
@@ -111,7 +111,7 @@ 
 

  

  -  **property** Boolean enumerable
 

  

-    -  Whether this domain can be enumarated or not
 

+    -  Whether this domain can be enumerated or not
 

  

  -  **property** Boolean use\_fully\_qualified\_names

file modified
+10 -10 
@@ -37,7 +37,7 @@ 
 

  This section gathers feedback expressed in mailing lists, private e-mail
 

  conversations and IRC discussions and summarizes feature requests and
 

  areas that need improvement into a design proposal of both the DBus API
 

- and several required changes in the core SSSD deamon.
 

+ and several required changes in the core SSSD daemon.
 

  

  Cached objects
 

  ~~~~~~~~~~~~~~
 
@@ -50,7 +50,7 @@ 
 

  

  Instead of a single interface returning object attributes in an
 

  LDAP-like way, the interface would be built in an object-oriented
 

- fashion. Each object (ie a user or a group) would be identified with an
 

+ fashion. Each object (i.e. a user or a group) would be identified with an
 

  object path and methods would be available to the interface user to make
 

  it possible to retrieve either a single object or a set of object.
 

  
@@ -122,7 +122,7 @@ 
 

     -  *debug\_level*: Debug level to set
 

     -  returns: nothing
 

     -  note: changes will be permanent but do not require restart of the
 

-       deamon
 

+       daemon
 

  

  -  **property** String name
 

  
@@ -221,11 +221,11 @@ 
 

  

  -  **property** Uint32 min\_id
 

  

-    -  Minimum uid and gid value for this domain
 

+    -  Minimum UID and GID value for this domain
 

  

  -  **property** Uint32 max\_id
 

  

-    -  Maximum uid and gid value for this domain
 

+    -  Maximum UID and GID value for this domain
 

  

  -  **property** String realm
 

  
@@ -245,7 +245,7 @@ 
 

  

  -  **property** Boolean enumerable
 

  

-    -  Whether this domain can be enumarated or not
 

+    -  Whether this domain can be enumerated or not
 

  

  -  **property** Boolean use\_fully\_qualified\_names
 

  
@@ -268,16 +268,16 @@ 
 

  Synchronous getter behaviour
 

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

  

- Retrieving a property with a getter will always be sychronous and return
 

+ Retrieving a property with a getter will always be synchronous and return
 

  the value currently cached. The getter might schedule an out-of-band
 

  update depending on the state of the cache object. The primary reason
 

  for the getter being synchronous is to be able to be composable, in
 

  other words being able to call N getters in a loop and construct a reply
 

- message containing N properties without resorting to asychronous updates
 

+ message containing N properties without resorting to asynchronous updates
 

  of the properties.
 

  

  Callers that with to have an up-to-date view of the properties should
 

- update the object by calling a special ``update`` (not included atm)
 

+ update the object by calling a special ``update`` (not included ATM)
 

  method or subscribe to the PropertiesChanged interface.
 

  

  SSSD daemon features
 
@@ -311,7 +311,7 @@ 
 

  query. No other attributes will be returned. Requesting an attribute
 

  that is not permitted will yield an empty response, same as if the
 

  attribute didn't exist. The whitelist will include the standard set of
 

- POSIX attributes as returned by ie ``getpwnam`` by default.
 

+ POSIX attributes as returned by i.e. ``getpwnam`` by default.
 

  

  The administrator will be allowed to extend the whitelist in sssd.conf
 

  using a configuration directive either in the ``[ifp]`` section itself

file modified
+1 -1 
@@ -106,7 +106,7 @@ 
 

  

  #. Hook onto *PropertiesChanged* signal, e. g. with *dbus-monitor'Í„'*
 

  #. Trigger change of user/group
 

- #. Signal should be recieved
 

+ #. Signal should be received
 

  

  Questions
 

  ~~~~~~~~~

file modified
+1 -1 
@@ -15,7 +15,7 @@ 
 

  underlying library API. Libraries like libdbus or libdbus\_glib are
 

  quite complex and requires a lot of code to do even the simplest things.
 

  The purpose of this document is to describe a new public API to access
 

- most fundamental parts of SSSD's D-Bus repsonder in a simple way so that
 

+ most fundamental parts of SSSD's D-Bus responder in a simple way so that
 

  a user doesn't have to deal with D-Bus at all.
 

  

  Prerequisites

file modified
+3 -3 
@@ -184,7 +184,7 @@ 
 

  

  -  u gidNumber
 

  

-    -  The groups's primary GID.
 

+    -  The group's primary GID.
 

  

  -  ao users
 

  
@@ -210,7 +210,7 @@ 
 

  **filter\_limit**. This option can be present in [ifp] and [domain]
 

  sections to set this limit for data provider filter searches ([domain]
 

  section) and also global hard limit for the listing methods itself
 

- ([ifp] section). This limit is supposed to improve performace with large
 

+ ([ifp] section). This limit is supposed to improve performance with large
 

  databases so we process only a small number of records. If the option is
 

  set to 0, the limit is disabled.
 

  
@@ -219,7 +219,7 @@ 
 

  present on the beginning of the filter '\*filter', its end 'filter\*',
 

  both sides '\*filter\*' or even in the middle '\*fil\*ter\*', since it
 

  is supported by both LDAP and LDB. However, only prefix-filter
 

- ('filter\*'), can take the performace boost from indices so other filter
 

+ ('filter\*'), can take the performance boost from indices so other filter
 

  may not perform so good with huge databases.
 

  

  Configuration changes

file modified
+1 -1 
@@ -17,7 +17,7 @@ 
 

  Use cases
 

  ~~~~~~~~~
 

  

- If DNS system is broken using dyndns\_server option might be an
 

+ If DNS system is broken using dyndns\_server option might be a
 

  workaround
 

  

  Overview of the solution

file modified
+7 -7 
@@ -26,12 +26,12 @@ 
 

  busy answering many requests a queue may build up and replies be
 

  delayed.
 

  

- Allowing the clinets to direcly access SSSD caches is not possible for
 

+ Allowing the clients to directly access SSSD caches is not possible for
 

  various reasons including:
 

  

  -  sssd uses LDB as caching backend and LDB depends on byte range locks.
 

-    Letting a client read access to the cache would allow DoS if the
 

-    client lcoks a record and never unlock it.
 

+    Giving a client read access to the cache would allow DoS, f.e. the
 

+    client locks a record and never unlocks it.
 

  -  sssd stores data not all clients are allowed to get access to
 

     (password hashes for example) and partitioning access to this data
 

     within the LDB cache is not feasible.
 
@@ -63,7 +63,7 @@ 
 

  parallel within each process with synchronization (in order to allow
 

  updates) performed by using memory barriers.
 

  

- Cache files can only be used for direct lookups (by name or by uid/gid),
 

+ Cache files can only be used for direct lookups (by name or by UID/GID),
 

  enumerations are \_never\_ handled via fast cache lookups by design,
 

  they always fallback to socket communication.
 

  
@@ -74,11 +74,11 @@ 
 

  Configuration
 

  -------------
 

  

- At the moement we plan to provide 3 parameters per map that can control
 

+ At the moment we plan to provide 3 parameters per map that can control
 

  the caches.
 

  

- -  Per map enablement parameter that allows to activate/deactiveate maps
 

-    invidiually.
 

+ -  Per map enablement parameter that allows to activate/deactivate maps
 

+    individually.
 

  -  Per map cache size to fine tune the cache sizes in case space is at a
 

     premium or the dataset does not fit the default cache.
 

  -  Expiration time for entries.

file modified
+2 -2 
@@ -161,7 +161,7 @@ 
 

  

  #. Failover from ``sss`` to ``files`` when SSSD is not running - this is
 

     the 'worst' case where ``sss`` is enabled in ``nsswitch.conf`` but
 

-    the deamon is not running at all, so the system falls back from
 

+    the daemon is not running at all, so the system falls back from
 

     ``sss`` to ``files`` for user lookups.
 

  

     -  Single lookup ::
 
@@ -176,7 +176,7 @@ 
 

            _nss_files_getpwnam cnt:100 avg:19 min:16 max:42 sum:1907 us
 

            _nss_sss_getpwnam cnt:100 avg:22 min:19 max:74 sum:2248 us
 

  

- #. Round-trip between SSSD deamon's populated cache and OS when the
 

+ #. Round-trip between SSSD daemon's populated cache and OS when the
 

     memory cache is not used or not populated
 

  

     -  Single lookup ::

file modified
+2 -2 
@@ -34,7 +34,7 @@ 
 

  Overview of the solution
 

  ------------------------
 

  FleetCommander consists on two components:
 

-  * a Cockpit plugin that connects to the freeIPA and sets up profiles
 

+  * a Cockpit plugin that connects to the FreeIPA and sets up profiles
 

     for different users.
 

   * a client side component activated by SSSD, which applies all the
 

     profiles retrieved by the latter.
 
@@ -78,7 +78,7 @@ 
 

  will look for the user and all his groups. For performance reasons, we
 

  need to check if initgroups was performed prior to looking up the
 

  profiles and only issue another initgroups request if the user entry's
 

- inigroup timestamp is expired.
 

+ initgroup timestamp is expired.
 

  

  The profiles will also be stored in the cache to allow offline
 

  processing. As an additional enhancement, we can skip writing the

file modified
+1 -1 
@@ -114,7 +114,7 @@ 
 

  Since the Global Catalog lookups just replace the current lookup methods
 

  SSSD should just behave as before (Regression testing).
 

  

- Additional the following changes might be visible on the user or admind
 

+ Additionally the following changes might be visible on the user or admin
 

  level.
 

  

  AD provider

file modified
+4 -4 
@@ -31,7 +31,7 @@ 
 

  different SIDs or at no SIDs at all.
 

  

  For example Active Directory users might not be able to access their
 

- files on UNIX hosts any more as the files would belong to their formal
 

+ files on UNIX hosts any more as the files would belong to their former
 

  UNIX IDs not the current ones.
 

  

  After this feature is implemented administrator's action will not be
 
@@ -60,7 +60,7 @@ 
 

     domains that SID belongs to.
 

  -  If such list is not empty then check if SID matches against secondary
 

     ranges of these domains and perform similar computation of UNIX ID as
 

-    is done for primary slices. If SID is not in helper ranges new range
 

+    is done for primary slices. If SID is not in helper ranges a new range
 

     is generated and its identifier string is *domain\_sid-$first\_rid*
 

     where $first\_rid is **((int)(RIDofSID / range\_size)) \*
 

     range\_size**.
 
@@ -79,8 +79,8 @@ 
 

  Introduce new struct **idmap\_range\_params** that holds all relevant
 

  information for slice ranges, such as:
 

  

- -  uint32\_t min\_id - minimal unix ID in given slice
 

- -  uint32\_t max\_id - maximal unix ID in given slice
 

+ -  uint32\_t min\_id - minimal UNIX ID in given slice
 

+ -  uint32\_t max\_id - maximal UNIX ID in given slice
 

  -  char \*range\_id
 

  -  uint32\_t first\_rid

file modified
+15 -15 
@@ -20,7 +20,7 @@ 
 

  Problem Statement
 

  ~~~~~~~~~~~~~~~~~
 

  

- Although mapping of Posix UIDs and SIDs is not needed mounting a CIFS
 

+ Although mapping of POSIX UIDs and SIDs is not needed mounting a CIFS
 

  share it might become necessary when working with files on the share,
 

  e.g. when modifying ACLs. Up to version 5.8 the cifs-utils package uses
 

  Winbind for this exclusively and the following binaries were linked
 
@@ -32,7 +32,7 @@ 
 

  

  With version 5.9 of cifs-utils a plugin interface was introduced by Jeff
 

  Layton (Thank you very much Jeff) to allow services other than winbind
 

- to handle the mapping of Posix UIDs and SIDs. SSSD will provide a plugin
 

+ to handle the mapping of POSIX UIDs and SIDs. SSSD will provide a plugin
 

  to allow the cifs-utils to ask SSSD to map the ID. With this plugin an
 

  SSSD client can access a CIFS share with the same functionality as a
 

  client running Winbind.
 
@@ -71,7 +71,7 @@ 
 

     ID mapping calls. Although it might be possible possible to map IDs
 

     algorithmically without talking to SSSD I think those calls should
 

     also reach out to SSSD to do the mapping. The main reason is to allow
 

-    other kind of mappings (e.g. using Posix attributes if available in
 

+    other kind of mappings (e.g. using POSIX attributes if available in
 

     AD). ::
 

  

        57 /*
 
@@ -143,7 +143,7 @@ 
 

       123  * cifs_idmap_sids_to_ids - convert struct cifs_sids to struct cifs_uxids
 

       124  * @handle - context handle
 

       125  * @sid    - pointer to array of struct cifs_sids to be converted
 

-      126  * @num    - number of sids to be converted
 

+      126  * @num    - number of SIDs to be converted
 

       127  * @cuxid  - pointer to preallocated array of struct cifs_uxids for return
 

       128  *
 

       129  * This function should map an array of struct cifs_sids to an array of
 
@@ -171,7 +171,7 @@ 
 

       151  *
 

       152  * This function should map an array of cifs_uxids an array of struct cifs_sids.
 

       153  * Returns 0 if at least one conversion was successful and non-zero on error.
 

-      154  * Any sids that were not successfully converted should have their revision
 

+      154  * Any SIDs that were not successfully converted should have their revision
 

       155  * number set to 0.
 

       156  *
 

       157  * On any error, the plugin should reset the errmsg pointer passed to the
 
@@ -209,7 +209,7 @@ 
 

  

  If there is no plugin for the CIFS client utilities or the plugin cannot
 

  resolve the SIDs to names getcifsacl will only show the SID strings in
 

- the outout: ::
 

+ the output: ::
 

  

      # getcifsacl /tmp/bla/Users/Administrator/Desktop/putty.exe
 

      REVISION:0x1
 
@@ -261,17 +261,17 @@ 
 

  The following switches can be used to test the functions mentioned in
 

  the implementation section: ::
 

  

-       -n, --name-to-sid=NAME                Converts name to sid
 

-       -s, --sid-to-name=SID                 Converts sid to name
 

-       -U, --uid-to-sid=UID                  Converts uid to sid
 

-       -G, --gid-to-sid=GID                  Converts gid to sid
 

-       -S, --sid-to-uid=SID                  Converts sid to uid
 

-       -Y, --sid-to-gid=SID                  Converts sid to gid
 

+       -n, --name-to-sid=NAME                Converts name to SID
 

+       -s, --sid-to-name=SID                 Converts SID to name
 

+       -U, --uid-to-sid=UID                  Converts UID to SID
 

+       -G, --gid-to-sid=GID                  Converts GID to SID
 

+       -S, --sid-to-uid=SID                  Converts SID to UID
 

+       -Y, --sid-to-gid=SID                  Converts SID to GID
 

        -i, --user-info=USER                  Get user info
 

-           --uid-info=UID                    Get user info from uid
 

+           --uid-info=UID                    Get user info from UID
 

            --group-info=GROUP                Get group info
 

-           --user-sidinfo=SID                Get user info from sid
 

-           --gid-info=GID                    Get group info from gid
 

+           --user-sidinfo=SID                Get user info from SID
 

+           --gid-info=GID                    Get group info from GID
 

        -r, --user-groups=USER                Get user groups
 

  

  Additional links

file modified
+2 -2 
@@ -90,7 +90,7 @@ 
 

  Now the AD provider code can be used to lookup up the users and group of
 

  the trusted AD domain. Only the ID-mapping logic should be refactored so
 

  that the same code can be used in the standalone AD provider where the
 

- configuration is read form ssd.conf and as part of the IPA provider
 

+ configuration is read from sssd.conf and as part of the IPA provider
 

  where the idrange objects read from the IPA server dictates the mapping.
 

  Maybe libsss\_idmap can be extended to handle idranges for mappings in
 

  AD as well, e.g. a specific error code can be used to indicate to the
 
@@ -186,7 +186,7 @@ 
 

  accordingly.
 

  

  Additional the code paths where new subdomains are created must be
 

- reviewed and whereever the mpg flag is set code must be added so that it
 

+ reviewed and wherever the mpg flag is set code must be added so that it
 

  is set according to the range type.
 

  

  Although I think that the code path where an IPA client (i.e.

file modified
+8 -8 
@@ -98,7 +98,7 @@ 
 

  The identity of the ccache owner is read from the client socket connection.
 

  However, because in containerized environments, the same ID can often
 

  identify multiple apps, it is important to also track the SELinux label
 

- as part of the client identity. This would prevent two continers running with
 

+ as part of the client identity. This would prevent two containers running with
 

  the same ID but different SELinux label to access each other's credentials.
 

  

  
@@ -121,7 +121,7 @@ 
 

  not be used in production. If the persistent storage in sssd-secrets (which
 

  is the default) is used, the KCM responder is allowed to idle-terminate.
 

  

- For user credentialsm the KCM Server uses a secrets responder URI
 

+ For user credentials the KCM Server uses a secrets responder URI
 

  in the form of ``http://localhost/kcm/persistent/$uid`` where ``$uid``
 

  is the user ID of the user whose credentials are being saved. In order to
 

  impersonate different users, the KCM responder runs as a trusted user
 
@@ -129,7 +129,7 @@ 
 

  user can access the ``/kcm`` hive in the sssd-secrets responder.
 

  

  The peer identity consists of an UID/GID tuple that is read from the
 

- client socket using ``getsockopt(SO_PEERCRED)`` and SELinux label.using
 

+ client socket using ``getsockopt(SO_PEERCRED)`` and SELinux label using
 

  ``SELINUX_getpeercon()``. To evaluate whether the MCS category the peer
 

  is running with can access the ccache potentially created with a different
 

  category, we'll call ``selinux_check_access()``.
 
@@ -142,7 +142,7 @@ 
 

  Internally in the secrets responder, the ccaches are stored at a new
 

  top-level anchor ``cn=kcm``. The secret responder's quotas on secrets
 

  also apply separately to the ``cn=kcm`` tree; separately here means
 

- that is is allowed to store ``max_secrets`` secrets and at the same
 

+ that it is allowed to store ``max_secrets`` secrets and at the same
 

  time ``max_secrets`` credential caches. There is a `separate ticket
 

  <https://pagure.io/SSSD/sssd/issue/3363>`_ to make the quotas per-UID.
 

  
@@ -161,7 +161,7 @@ 
 

       principal : {
 

           "type": "number",
 

           "realm": "string",
 

-          "componenents": [ "elem1", "elem2", ...]
 

+          "components": [ "elem1", "elem2", ...]
 

       }
 

  

       creds : [
 
@@ -219,7 +219,7 @@ 
 

   # systemctl enable sssd-kcm.service
 

  

  Please note that starting the KCM socket auto-starts the sssd-secrets
 

- socket so that the peristent secrets storage is available.
 

+ socket so that the persistent secrets storage is available.
 

  

  Then, set the ``KCM`` credential type as the default for the
 

  system. The ``sssd-kcm`` subpackage ships with a snippet file
 
@@ -432,7 +432,7 @@ 
 

  in other containers that are completely separated from the host environment.
 

  The containers must also share the credential caches between one another.
 

  

- #. Start a container that will run an SSSD instace with the KCM service. We
 

+ #. Start a container that will run an SSSD instance with the KCM service. We
 

     name the container ``kcmserver`` and assign a volume called ``/kcmserver``
 

     to this container::
 

  
@@ -512,7 +512,7 @@ 
 

  #. Start another container as another KCM client, configure its ``krb5.conf``
 

     configuration file in the same manner. As long as this container runs as
 

     the same UID as the first KCM client, the credentials should be visible
 

-    in this container immediatelly without having to acquire them::
 

+    in this container immediately without having to acquire them::
 

  

      kcmclient2 # klist 

          Ticket cache: KCM:0

file modified
+1 -1 
@@ -92,7 +92,7 @@ 
 

        This is potentially chaotic, as it introduces multiple points of
 

        failure resulting in offline operation.
 

     #. Flag unreachable entries as "complete", thereby having SSSD rely
 

-       on their presence or abscence in the cache. While this sounds nice
 

+       on their presence or absence in the cache. While this sounds nice
 

        in theory, I think this would probably be very difficult to get
 

        right, especially with enumeration. I recommend deferring this as
 

        a future optimization and going with one of the other approaches

file modified
+1 -1 
@@ -56,7 +56,7 @@ 
 

  user's name in the memberUid attribute.
 

  

  SSSD backends disable by default recursion from nsswitch calls into SSSD
 

- itslef. It is therefore safe to call functions like getpwnam() or
 

+ itself. It is therefore safe to call functions like getpwnam() or
 

  getpwuid() from within a backend. These functions will not enter the nss
 

  client and will return all users from any other backend listed in
 

  nsswitch.conf for the 'passwd' database.

file modified
+6 -6 
@@ -72,9 +72,9 @@ 
 

  To search a user with the help of the certificate the DER encoded binary
 

  ticket must be transformed into a search filter. In this case it would
 

  be something like 'userCertificate=\\23\\a5\\3e......' where each byte
 

- from the certificate is is represented by a hex value pre-pendened by a
 

+ from the certificate is represented by a hex value prepended by a
 

  '\\'. The filter should be generated in a subroutine which accepts the
 

- DER encoded certificate with base64 ascii armor and returns the search
 

+ DER encoded certificate with base64 ASCII armor and returns the search
 

  filter. This way the subroutine can later be extended to accept
 

  configuration options for the identity mapping and can return different
 

  search filters for those cases. Since the requirement for LDAP and sysdb
 
@@ -83,7 +83,7 @@ 
 

  different.
 

  

  Although it would be possible to handle the binary DER data directly I
 

- think using a base64 ascii armor to handle the data as a string is
 

+ think using a base64 ASCII armor to handle the data as a string is
 

  useful to avoid adding code for handling binaries e.g. in the S-BUS
 

  requests to the backends.
 

  
@@ -91,7 +91,7 @@ 
 

  ^^^^^^^^^
 

  

  A new call sysdb\_search\_user\_by\_cert() should be added which get the
 

- DER encoded certificate with base64 ascii armor as input and use the
 

+ DER encoded certificate with base64 ASCII armor as input and use the
 

  function described above to get a proper search filter. Currently it
 

  will be only the search filter for the binary certificate. Other than
 

  that the new call will act like to other sysdb\_search\_user\_by\_\*()
 
@@ -101,11 +101,11 @@ 
 

  ^^^^^^^^
 

  

  A new method GetUSerAttrByCert() must be implemented which expected the
 

- PEM encoded certificate and an array of attrbute names. **Question:
 

+ PEM encoded certificate and an array of attribute names. **Question:
 

  Should we only support PEM here or other formats as well? In this case
 

  we need a third parameter indicating the encoding of the certificate
 

  data.**.
 

- InfoPipe will convert the certificate into DER encoding with base64 ascii
 

+ InfoPipe will convert the certificate into DER encoding with base64 ASCII
 

  armor, search the cache and eventually forward the request to the backend.
 

  The request to the backend is processed similar to a request by name,
 

  only that a new filter name, e.g. DP\_CERT\_ID "cert", is needed.

file modified
+2 -2 
@@ -90,7 +90,7 @@ 
 

  ~~~~~~~~~~~~~~~~~~~~~
 

  

  For the AD provider the currently unset option *ldap\_user\_certificate*
 

- will be set to *userCertificate;binary*. This means that is a
 

+ will be set to *userCertificate;binary*. This means that if a
 

  certificate is available in the user entry it will be downloaded and
 

  written to the cache by default. To avoid this *ldap\_user\_certificate*
 

  must be set to a non-existing attribute name like e.g. ::
 
@@ -98,7 +98,7 @@ 
 

      ldap_user_certificate = nonExistingAttributeName
 

  

  The *sss\_override user-add* utility has a new option *--certificate*
 

- (*-x*) which expects the base64-endode certificate as an argument.
 

+ (*-x*) which expects the base64-encoded certificate as an argument.
 

  

  How To Test
 

  ~~~~~~~~~~~

file modified
+4 -4 
@@ -54,7 +54,7 @@ 
 

  

  Implementation details
 

  ^^^^^^^^^^^^^^^^^^^^^^
 

- Since certificates form different CAs (i.e. a different issuer) might have
 

+ Since certificates from different CAs (i.e. a different issuer) might have
 

  different properties and might be used in different domains mapping rules
 

  cannot be applied unconditionally but only to "matching" certificates. On
 

  the other hand it is not sufficient to know that a certificate is
 
@@ -538,7 +538,7 @@ 
 

  The optional ``*`` in the end indicates that a sub-string search
 

  (``ldapAttributeName=*value*``) should be used and not an exact match
 

  (``ldapAttributeName=value``). Please note that it depends on the server-side
 

- definition of the LDAP attribute if case-sensitive or case-insensitve
 

+ definition of the LDAP attribute if case-sensitive or case-insensitive
 

  matching is used.
 

  

  Currently I see no usage for ``<KU>`` and ``<EKU>`` in mapping rules
 
@@ -569,7 +569,7 @@ 
 

  this and I would like to avoid implementing it. GLib e.g. has
 

  `g_regex_replace <https://developer.gnome.org/glib/stable/glib-Perl-compatible-regular-expressions.html#g-regex-replace>`_
 

  Since we already have a GLib dependency in SSSD due to
 

- soem utf8 helper functions using might be acceptable as well. Nevertheless it
 

+ some UTF-8 helper functions using might be acceptable as well. Nevertheless it
 

  would be nice to hear if there are alternative libraries available as well.
 

  

  Maybe even search-and-replace are not sufficient for all cases and something
 
@@ -646,7 +646,7 @@ 
 

      mapping_rule = <ALT-SEC-ID-I-S:altSecurityIdentities>
 

      certificate_domains = my-company.com
 

  

-   only allow certificates form the 'my-company' issuer which
 

+   only allow certificates from the 'my-company' issuer which
 

    have an email address from the 'my-company.com' domain in the
 

    rfc882Name SAN attribute. Use AD style issuer-subject search filter
 

    ``(altSecurityIdentities=<I>cn=issuer,dc=my-company,dc=com<S>cn=user,dc=my-company,dc=com)``

file modified
+1 -1 
@@ -96,7 +96,7 @@ 
 

  ^^^^^^^^^^^^^^^^^^^^^^^^^
 

  

  #. Incoming requests to the SSSD will behave similarly to the user and
 

-    group enumaration code, except that the individual result objects for
 

+    group enumeration code, except that the individual result objects for
 

     different netgroup names will be stored in a hash table keyed on the
 

     netgroup name.
 

  #. During processing, if a netgroup contains nested netgroups, we will

file modified
+4 -4 
@@ -76,7 +76,7 @@ 
 

  non-POSIX one.
 

  

  An application domain section can be either defined as a standalone
 

- domain, listing all the needed options or can be used in conjuction with
 

+ domain, listing all the needed options or can be used in conjunction with
 

  a traditional POSIX domain in mixed setups. In this case, the application
 

  domain can use the ``inherit_from`` option to inherit all options from the
 

  "sibling" POSIX domain.  Any options specified in the application domain
 
@@ -107,7 +107,7 @@ 
 

  qualified names.
 

  

  For distinguishing accounts between a POSIX and an application domain from
 

- the D-Bus inteface, a fully qualified name must be used. But since the
 

+ the D-Bus interface, a fully qualified name must be used. But since the
 

  D-Bus interface is normally used only by the application, putting the
 

  application domain first in the ``domains`` list should be enough to avoid
 

  using qualified names from the application while still making it possible
 
@@ -284,7 +284,7 @@ 
 

            ``appdomain.test`` domain completely.
 

  

          * Since the ``appdomain.test`` domain comes first in the domain
 

-           list, running ``GetUserAttr`` with an unqalified name should
 

+           list, running ``GetUserAttr`` with an unqualified name should
 

            return non-POSIX users
 

          * Also invoking the ``GetUserGroups`` function should list their
 

            non-POSIX groups. Requests qualified to reach the
 
@@ -306,7 +306,7 @@ 
 

  ------------
 

  Debug messages listing the domain type must be added to the ``cache_req``
 

  code. Then, the regular method of issuing a request and watching the logs
 

- should work. Expiring the cache and using the qualified names is recommeded.
 

+ should work. Expiring the cache and using the qualified names is recommended.
 

  

  Authors
 

  -------

file modified
+2 -2 
@@ -486,7 +486,7 @@ 
 

  It was proposed on the sssd-devel list that the initialization of the
 

  sssd\_be process is split into a privileged and non-privileged function.
 

  The back end would open all providers, call the privileged
 

- initialization functions and then drop privileges. Currenly all
 

+ initialization functions and then drop privileges. Currently all
 

  initialization is done as root, which is not strictly required in many
 

  setups.
 

  
@@ -514,7 +514,7 @@ 
 

  

  The downside is obviously the extra dependency, but libcap-ng has a
 

  small footprint and is already used by packages that are present on
 

- most, if not all, modern Linux installations, such as dbus.
 

+ most, if not all, modern GNU/Linux installations, such as dbus.
 

  

  We would keep the existing code around as a fallback for environments
 

  that don't have the libcap-ngs library available, such as non-Linux

file modified
+5 -5 
@@ -177,7 +177,7 @@ 
 

  I think it is not necessary to add special set of return values/error
 

  code but the standard ones are sufficient. Maybe ENETUNREACH it indicate
 

  that SSSD could not find the right domain for the request could be
 

- replaced by a better one. (EDOM would be a candidate, but imo it should
 

+ replaced by a better one. (EDOM would be a candidate, but IMO it should
 

  be reserved for mathematical operations.)
 

  

  Python bindings
 
@@ -197,10 +197,10 @@ 
 

  

      # sss_idmap --help
 

      Usage: sss_idmap [OPTION...]
 

-       -n, --name-to-sid=NAME      Converts name to sid
 

-       -s, --sid-to-name=SID       Converts sid to name
 

-       -S, --sid-to-id=SID         Converts sid to POSIX ID
 

-       -i, --id-to-sid=ID          Converts POSIX ID to sid
 

+       -n, --name-to-sid=NAME      Converts name to SID
 

+       -s, --sid-to-name=SID       Converts SID to name
 

+       -S, --sid-to-id=SID         Converts SID to POSIX ID
 

+       -i, --id-to-sid=ID          Converts POSIX ID to SID
 

  

      Help options:
 

        -?, --help                  Show this help message

file modified
+6 -6 
@@ -15,10 +15,10 @@ 
 

  -----------------
 

  

  When using Kerberos/GSSAPI authentication for a service running on a
 

- Linux host strictly speaking not a POSIX user of the Linux system is
 

+ GNU/Linux host strictly speaking not a POSIX user of the GNU/Linux system is
 

  authenticated but a Kerberos principal. I.e. authentication is
 

  successful for every Kerberos principal with a valid ticket for the
 

- service running on the Linux host. This is done intentional to keep
 

+ service running on the GNU/Linux host. This is done intentional to keep
 

  Kerberos independent of the operating system of the host. But it creates
 

  the problem of mapping Kerberos principals to POSIX users.
 

  
@@ -26,7 +26,7 @@ 
 

  the realm part of the Kerberos principal is stripped off and what
 

  remains is considered as a POSIX user name. The administrator can
 

  enhance this by adding some minimal regular-expression operations in
 

- /etc/krb5.conf. Addionally the user can create a .k5login file in his
 

+ /etc/krb5.conf. Additionally the user can create a .k5login file in his
 

  home directory and add all Kerberos principals which should be allowed
 

  to log in with his identity. All those methods do not scale in
 

  environments with multiple realm and cross-realm trust.
 
@@ -79,7 +79,7 @@ 
 

  considered as a Kerberos principal and not be split as fully qualified
 

  user names. While this would work for the localauth plugin use-case
 

  there are other potential use-cases where this would not be possible.
 

- E.g if SSSD should allow AD user to use their UPN (see
 

+ E.g. if SSSD should allow AD user to use their UPN (see
 

  `http://technet.microsoft.com/en-us/library/cc739093(v=WS.10).aspx <http://technet.microsoft.com/en-us/library/cc739093(v=WS.10).aspx>`__
 

  for details). This UPN is build by joining the user logon name and a UPN
 

  suffix with an '@' character. I think it cannot be expected from the AD
 
@@ -88,7 +88,7 @@ 
 

  

  Especially with the second use-case, we should process the argument of
 

  getpwnam() like a fully qualified user name first. If no matching user
 

- was found during this pass SSSD can take the orginal input, check if it
 

+ was found during this pass SSSD can take the original input, check if it
 

  contains an '@' character and search the configured backends for a
 

  matching Kerberos principal or UPN. It has to be noted that in theory
 

  there might be a user with the fully qualified name ``abc@domain.name``
 
@@ -172,7 +172,7 @@ 
 

  ``getent passwd testabc@MY.REALM`` will return the same entry but now
 

  search with the Kerberos principal.
 

  

- Additionaly, logging in as a Windows user using GSSAPI should succeed
 

+ Additionally, logging in as a Windows user using GSSAPI should succeed
 

  without requiring password with stock krb5.conf on an IPA client when
 

  IPA-AD trust is established, as the following sequence illustrates: ::

file modified
+2 -2 
@@ -363,7 +363,7 @@ 
 

  Failover mechanism wasn't prepared for subdomains and we run into
 

  troubles every now and then. We added several workarounds for cases
 

  where the original code wasn't sufficient but it made the code just more
 

- confused. At this moment nobody understands it but bugs keeps comming.
 

+ confused. At this moment nobody understands it but bugs keeps coming.
 

  

  We should have a separate failover context for each domain, instead of
 

  one per whole backend. It must be possible to set different srv
 
@@ -373,7 +373,7 @@ 
 

  Benefit to SSSD
 

  ^^^^^^^^^^^^^^^
 

  

- We remove old and problematic code that knowbody understands. We can
 

+ We remove old and problematic code that nobody understands. We can
 

  improve site discovery for trusted domains and we can have better
 

  control over subdomain server resolution.

file modified
+3 -3 
@@ -22,11 +22,11 @@ 
 

  ~~~~~~~~~
 

  

  -  User who is a member of a large amount of AD groups logs in to a
 

-    Linux server that is a member of the AD domain.
 

+    GNU/Linux server that is a member of the AD domain.
 

  -  User who is a member of a large amount of AD or IPA groups logs in to
 

-    a Linux server that is a member of an IPA domain with a trust
 

+    a GNU/Linux server that is a member of an IPA domain with a trust
 

     relationship to an AD domain
 

- -  Administrator of a Linux server runs "ls -l" in a directory where
 

+ -  Administrator of a GNU/Linux server runs "ls -l" in a directory where
 

     files are owned by a large group. An example would be group called
 

     "students" in an university setup

file modified
+3 -3 
@@ -26,7 +26,7 @@ 
 

  are one-way or two way trusts. For each one-way trust, SSSD needs to
 

  fetch and store the keytab and use the keytab to secure the connection.
 

  For two-way trusts, we can keep using the existing code that reuses the
 

- IPA realm and the system keytab for both IPA and AD connectins. Care
 

+ IPA realm and the system keytab for both IPA and AD connections. Care
 

  must be taken to remove keytabs of trusts that were removed as well.
 

  

  Fetching the keytab would be done by calling the ``ipa-getkeytab``
 
@@ -73,7 +73,7 @@ 
 

  ``ipa-getkeytab``, fetch the keytab and store it under
 

  ``/var/lib/sss/keytabs``. The ``ipa-getkeytab`` call will be done using
 

  Kerberos credentials the host has. IPA ACIs must be modified accordingly
 

- to allow the IPA server principals to fetch the trust keytabs, but noone
 

+ to allow the IPA server principals to fetch the trust keytabs, but nobody
 

  else. The SSSD invocation of ``ipa-getkeytab`` will not limit the
 

  enctypes in any way, we just rely on IPA creating the objects in LDAP in
 

  the correct manner.
 
@@ -169,7 +169,7 @@ 
 

  In both offline and inactive cases, the ID handlers would reply with
 

  ``DP_ERR_OFFLINE``. The crucial difference between offline and inactive
 

  at this point would be that inactive domains are re-activated
 

- undonditionally. When we modify the failover code to handle domains
 

+ unconditionally. When we modify the failover code to handle domains
 

  separately, we'll be able to leverage per-domain online checks or
 

  online/offline callbacks as well.

file modified
+1 -1 
@@ -5,7 +5,7 @@ 
 

  -----------------
 

  

  SSSD provider for OpenLMI will allow administrators to retrieve
 

- information from SSSD and modify the configuration through OpemLMI
 

+ information from SSSD and modify the configuration through OpenLMI
 

  tools.
 

  

  First iteration

file modified
+1 -1 
@@ -106,7 +106,7 @@ 
 

  

  To keep the delays due to the new request to a minimum pam\_sss should
 

  only run it, if the backend really supports it. Additionally is should
 

- be possilbe to disable the pre-authentication request completely with a
 

+ be possible to disable the pre-authentication request completely with a
 

  new option for pam\_sss.
 

  

  In addition to the authentication dialog the password change dialog

file modified
+13 -13 
@@ -144,7 +144,7 @@ 
 

  indicator requirements are useful to test the returned credentials but
 

  are not necessary to test the prompting. ::
 

  

-     $ ipa service-add ANY/ipa-client.example.dom
 

+     $ ipa service-add ANY/ipa-client.example.com
 

      $ ipa-getkeytab -p ANY/ipa-client.example.com -k /tmp/any.keytab
 

  

      $ ipa service-add OTP/ipa-client.example.com --auth-ind=otp
 
@@ -166,10 +166,10 @@ 
 

  

  after login you can test by calling ::
 

  

-     $ kvno ANY/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno ANY/ipa-client.example.com@EXAMPLE.COM
 

      ANY/ipa-client.example.com@EXAMPLE.COM: kvno = 1
 

-     $ kvno OTP/ipa-client.example.dom@EXAMLE.COM
 

-     kvno: KDC policy rejects request while getting credentials for OTP/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno OTP/ipa-client.example.com@EXAMPLE.COM
 

+     kvno: KDC policy rejects request while getting credentials for OTP/ipa-client.example.com@EXAMPLE.COM
 

  

  that only a ticket for the ANY service can be requested but not for the
 

  OTP service because only the password was used for authentication.
 
@@ -191,9 +191,9 @@ 
 

  

  after login you can test by calling ::
 

  

-     $ kvno ANY/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno ANY/ipa-client.example.com@EXAMPLE.COM
 

      ANY/ipa-client.example.com@EXAMPLE.COM: kvno = 1
 

-     $ kvno OTP/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno OTP/ipa-client.example.com@EXAMPLE.COM
 

      OTP/ipa-client.example.com@EXAMPLE.COM: kvno = 1
 

  

  that tickets for both services can be request successfully because now
 
@@ -201,7 +201,7 @@ 
 

  Entering Password+TokenValue in a single string at the *First Factor:*
 

  prompt will authenticate the user successfully as well but features
 

  like off-line authentication or unlocking of the user's keyring might
 

- not be availble.
 

+ not be available.
 

  

  Password and OTP
 

  ''''''''''''''''
 
@@ -221,17 +221,17 @@ 
 

  prompt. In the first case only a ticket for the ANY service can be
 

  requested: ::
 

  

-     $ kvno ANY/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno ANY/ipa-client.example.com@EXAMPLE.COM
 

      ANY/ipa-client.example.com@EXAMPLE.COML: kvno = 1
 

-     $ kvno OTP/ipa-client.example.dom@EXAMLE.COM
 

-     kvno: KDC policy rejects request while getting credentials for OTP/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno OTP/ipa-client.example.com@EXAMPLE.COM
 

+     kvno: KDC policy rejects request while getting credentials for OTP/ipa-client.example.com@EXAMPLE.COM
 

  

  If both factor are given tickets for both services can be requested
 

  successfully: ::
 

  

-     $ kvno ANY/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno ANY/ipa-client.example.com@EXAMPLE.COM
 

      ANY/ipa-client.example.com@EXAMPLE.COM: kvno = 1
 

-     $ kvno OTP/ipa-client.example.dom@EXAMLE.COM
 

+     $ kvno OTP/ipa-client.example.com@EXAMPLE.COM
 

      OTP/ipa-client.example.com@EXAMPLE.COM: kvno = 1
 

  

  Entering Password+TokenValue in a single string at the
 
@@ -244,7 +244,7 @@ 
 

  If password authentication is not working when both password and OTP
 

  authentication are enabled you might hit
 

  `https://bugzilla.redhat.com//show\_bug.cgi?id=1340304 <https://bugzilla.redhat.com//show_bug.cgi?id=1340304>`__
 

- and should update the Kerbeors packages.
 

+ and should update the Kerberos packages.
 

  

  Inspecting log files
 

  ^^^^^^^^^^^^^^^^^^^^

file modified
+2 -2 
@@ -113,7 +113,7 @@ 
 

  

  Password changes should be allowed against all domains, meaning that a
 

  user A (recognized via getpeercred) will be allow to perform a password
 

- change, ie implicitly allowed to access its own domain even if it is
 

+ change, i.e. implicitly allowed to access its own domain even if it is
 

  untrusted. Arbitrary password changes for other users should not be
 

  allowed.
 

  
@@ -137,7 +137,7 @@ 
 

  #. Authenticate using the selected PAM service as a user from domain A.
 

     The authentication should succeed.
 

  #. Authenticate using the same service as a user from domain B. The
 

-    authentication should fail and there should be a reasonable (ie not
 

+    authentication should fail and there should be a reasonable (i.e. not
 

     System Error) return code returned to the application
 

  #. Authenticate using a different PAM service. Make sure this service is
 

     ran by an untrusted user (not root!). Logins against both A and B

file modified
+12 -12 
@@ -1,7 +1,7 @@ 
 

  SSS NFS Client (rpc.idmapd plugin)
 

  ==================================
 

  

- The client is named "**sss\_nfs**" (althogh "sss\_idmap" or "idmap"
 

+ The client is named "**sss\_nfs**" (although "sss\_idmap" or "idmap"
 

  might have been better names, the term "idmap" is already occupied in
 

  the SSSD world).
 

  
@@ -12,11 +12,11 @@ 
 

  nfs-utils). Its role is to assist knfsd by providing the following 6
 

  mapping functions:
 

  

- #. (user) name to uid
 

- #. (group) name to gid
 

- #. uid to (user) name
 

- #. gid to (group) name
 

- #. principal (user) name to ids (uid + gid)
 

+ #. (user) name to UID
 

+ #. (group) name to GID
 

+ #. UID to (user) name
 

+ #. GID to (group) name
 

+ #. principal (user) name to ids (UID + GID)
 

  #. principal (user) name to grouplist (groups which user are member of)
 

  

  .. FIXME: The last two items had the following note below them
 
@@ -29,7 +29,7 @@ 
 

  On the kernel level, there's a caching mechanism for the responses from
 

  the userspace daemon.
 

  

- \ :sup:`(1)` Items 5 + 6 are only relevant for kerberised NFSv4 servers.
 

+ \ :sup:`(1)` Items 5 + 6 are only relevant for kerberized NFSv4 servers.
 

  At the first stage only there won't be kerberos support.
 

  

  SSSD - Responder
 
@@ -46,16 +46,16 @@ 
 

  

  Responder-Facing Interactions (existing NSS Responder commands)
 

  

- -  ``SSS_NSS_GETPWNAM`` - map (user) name to uid requests
 

- -  ``SSS_NSS_GETGRNAM`` - map (group) name to gid requests
 

- -  ``SSS_NSS_GETPWUID`` - map uid to (user) name requests
 

- -  ``SSS_NSS_GETGRGID`` - map gid to (group) name requests
 

+ -  ``SSS_NSS_GETPWNAM`` - map (user) name to UID requests
 

+ -  ``SSS_NSS_GETGRNAM`` - map (group) name to GID requests
 

+ -  ``SSS_NSS_GETPWUID`` - map UID to (user) name requests
 

+ -  ``SSS_NSS_GETGRGID`` - map GID to (group) name requests
 

  

  The request & reply sent to & from the responder is "standard" in terms
 

  of the NSS Responder.
 

  

  The client only needs a portion of the reply. Only this portion will be
 

- extracted from the packet (i.e. uid/gid/user name/group name).
 

+ extracted from the packet (i.e. UID/GID/user name/group name).
 

  

  Optimisation Techniques
 

  ~~~~~~~~~~~~~~~~~~~~~~~

file modified
+3 -3 
@@ -19,7 +19,7 @@ 
 

  idea compelling even at a single system level. As a security service
 

  sssd is ideal to host this capability while offering the same
 

  `API <https://github.com/simo5/custodia/blob/master/API.md>`__ via a
 

- Unix Socket. This will make it possible to use local calls and have them
 

+ UNIX Socket. This will make it possible to use local calls and have them
 

  transparently routed to a local or a remote key management store like
 

  `IPA Vault <http://www.freeipa.org/page/V4/Password_Vault_1.0>`__ or
 

  `HashiCorp's Vault <https://www.vaultproject.io>`__ for storage, escrow
 
@@ -41,7 +41,7 @@ 
 

  ~~~~~~~~~~~~~~~~~~~~~~~~
 

  

  This feature will be implemented by creating a new responder process
 

- that handles the REST API over a Unix Socket, and will route requestes
 

+ that handles the REST API over a UNIX Socket, and will route requests
 

  either to a local database separate from the generic ldb caches or to a
 

  provider that can implement remote backends like IPA Vault to store some
 

  or all the secrets of a user or a system application.
 
@@ -122,7 +122,7 @@ 
 

          void secrets_list_contents_free(struct secrets_list *list);
 

          void secrets_data_contents_free(struct secrets_data *data);
 

  

- The API uses eclusively the "simple" secret type.
 

+ The API uses exclusively the "simple" secret type.
 

  

  Resource Considerations
 

  ^^^^^^^^^^^^^^^^^^^^^^^

file modified
+2 -2 
@@ -22,7 +22,7 @@ 
 

  domains) to be possible by using only the short names without the domain
 

  component, as it's done by some 3rd party solutions.
 

  It's important to mention that the Administrator has also the possibility to
 

- configure it for directly AD joined clients, althought it cannot be done in a
 

+ configure it for directly AD joined clients, although it cannot be done in a
 

  centralized way (meaning that the configuration has to be done per SSSD
 

  client).
 

  
@@ -37,7 +37,7 @@ 
 

  ordered list of domains which will be looked-up first so the Administrator can
 

  have a better control and avoid a bunch of unnecessary look-ups. The list of
 

  the ordered domains can be provided in three different ways and those are
 

- described below accoding to their precedence order:
 

+ described below according to their precedence order:
 

  

  * sssd.conf: the admin can set up the ``domain_resolution_order`` option in
 

    the ``[sssd]`` section;

file modified
+5 -5 
@@ -100,8 +100,8 @@ 
 

  PKCS\ `#11 <https://fedorahosted.org/sssd/ticket/11>`__. If a value is
 

  encountered with no keyword, it is assumed to be the modname. If no
 

  module-name is specified, the default is opensc-pkcs11.so. slotid=
 

- and/or token= may be specified to force the use of a particular smard
 

- card reader or token if there is more than one available. certid= and/or
 

+ and/or token= may be specified to force the use of a particular smartcard
 

+ reader or token if there is more than one available. certid= and/or
 

  certlabel= may be specified to force the selection of a particular
 

  certificate on the device. See the pkinit\_cert\_match configuration
 

  option for more ways to select a particular certificate to use for
 
@@ -154,14 +154,14 @@ 
 

  

  By default the PKINIT plugin of MIT Kerberos expects that the KDC
 

  certificate contains the id-pkinit-KPKdc EKU as defined in RFC 4556 and
 

- has the kdc's hostname in id-pkinit-san as defined in RFC4556 as well.
 

+ has the KDC's hostname in id-pkinit-san as defined in RFC4556 as well.
 

  

  If id-pkinit-san is missing 'pkinit\_kdc\_hostname' can be set to the
 

- hostname of the kdc as stored in the dNSName in the SAN of the
 

+ hostname of the KDC as stored in the dNSName in the SAN of the
 

  certificate. If the dNSName SAN is missing as well, PKINIT won't work.
 

  

  If the id-pkinit-KPKdc EKU is not set 'pkinit\_eku\_checking' can be set
 

- to 'kpServerAuth' is the certificate of the kdc at least contains the
 

+ to 'kpServerAuth' is the certificate of the KDC at least contains the
 

  id-kp-serverAuth EKU. If this is missing as well 'pkinit\_eku\_checking'
 

  can be set to 'none', but this is not recommended.

file modified
+2 -2 
@@ -114,7 +114,7 @@ 
 

  a password and if the correct PIN is entered the user should be
 

  successfully authenticated and logged in.
 

  

- Runnning a ssh client with Smartcard support
 

+ Running an ssh client with Smartcard support
 

  ''''''''''''''''''''''''''''''''''''''''''''
 

  

  The *ssh* client program distributed with Fedora or RHEL contains
 
@@ -167,7 +167,7 @@ 
 

  

  The PKCS#11 module for accessing certificates and private keys in a NSS
 

  database is *libsoftokn3.so*. But unfortunately this modules needs some
 

- configuration option when loaded and there is (afaik) currently no way
 

+ configuration option when loaded and there is (AFAIK) currently no way
 

  to pass them with the *ssh* command. Luckily there is p11-kit which can
 

  be used to load *libsoftokn3.so* with options. In the following we
 

  assume that the certificate and the private key is stored in an NSS DB

file modified
+8 -8 
@@ -72,20 +72,20 @@ 
 

  

  Now you have to write the certificate and the keys to a Smartcard. You
 

  can use a suitable Windows tool for this. Or you can export the data and
 

- write it to a Smartcard from a Linux client which will be explained in
 

+ write it to a Smartcard from a GNU/Linux client which will be explained in
 

  the following.
 

  

  To export the certificate select it in the Certificates Snap-in and call
 

  'Export' from the 'All Tasks' context menu. In the export wizard the
 

  private key must be exported as well. The generated file can now be
 

- copied to a Linux host.
 

+ copied to a GNU/Linux host.
 

  

  The file created on the AD side is PKCS#12 formatted and can be inspected
 

- on the Linux side with the *openssl pkcs12* utility. NSS, which is
 

+ on the GNU/Linux side with the *openssl pkcs12* utility. NSS, which is
 

  currently used by SSSD to access the Smartcard, expected that the
 

  Smartcard will contain the certificate together with the public and
 

  private key in separate objects, connected by the same label and id.
 

- We will use pkcs11-tool form the opensc package to write the data to the
 

+ We will use pkcs11-tool from the opensc package to write the data to the
 

  card. In general p11tool from the gnutls project can be used as well but
 

  support for writing public keys was added quite recently (gnutls-3.4.6)
 

  so it might no be available on your platform. There might be an issue
 
@@ -116,11 +116,11 @@ 
 

  Writing certificate and keys to a Smartcard
 

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

  

- First write the certificate data to the Samrtcard by calling ::
 

+ First write the certificate data to the Smartcard by calling ::
 

  

      pkcs11-tool --module my_pkcs11_module.so --slot 0 -w ./cert.der -y cert -a 'My Label' --id 0123456789abcdef0123456789abcdef01234567
 

  

- where *my\_pkcs11\_module.so* and *My Label* shou be replaced by
 

+ where *my\_pkcs11\_module.so* and *My Label* should be replaced by
 

  suitable values. The id value is typically the Subject Key Identifier
 

  which is typically the sha1 hash value of the public key bit string from
 

  the certificate. The value can either obtained from the output of ::
 
@@ -186,10 +186,10 @@ 
 

  Certificate from an external CA
 

  -------------------------------
 

  

- There are various way how to get a certificate from an extrernal CA, see
 

+ There are various ways how to get a certificate from an external CA, see
 

  e.g.
 

  `https://blog-nkinder.rhcloud.com/?p=179 <https://blog-nkinder.rhcloud.com/?p=179>`__
 

- how to generate the keys on a Smartcard, request a certificate form a CA
 

+ how to generate the keys on a Smartcard, request a certificate from a CA
 

  and store it on the Smartcard. As a result the certificate and all the
 

  needed keys are already on the Smartcard. In the following we will
 

  explain how to make AD aware of it and enable local Smartcard login for

file modified
+4 -4 
@@ -78,7 +78,7 @@ 
 

  (which of course are identified by different user names). For the forth
 

  case a new PAM dialog/conversation is needed.
 

  

- To my knowlegde there are currently two cases where a user name is not
 

+ To my knowledge there are currently two cases where a user name is not
 

  available in the first place, InfoPipe lookups by certificate used e.g.
 

  by `mod\_lookup\_identity <https://www.adelton.com/apache/mod_lookup_identity/>`__
 

  and the GDM Smartcard module which calls pam\_start() with an empty user
 
@@ -104,7 +104,7 @@ 
 

  latter case the application can ask for a user name.
 

  

  For the gdm case it might be useful to see how Smartcard authentication
 

- is handled on Windows. To illustrate this I prepare two short screencast
 

+ is handled on Windows. To illustrate this I prepare two short screencasts
 

  (sorry for the raw state, if time permits I will improve them).
 

  

  `The
 
@@ -147,7 +147,7 @@ 
 

  clear to the user what input is expected and why.
 

  

  If it is needed to select a certificate the typical PAM service will
 

- display specific data from the certificates, e.g. the valie of the most
 

+ display specific data from the certificates, e.g. the value of the most
 

  specific RDN of the subject and the full DN of the issuer, in a numbered
 

  list asking the user to enter the number of the certificate which should
 

  be used for login. If would be nice if gdm can display this list in a
 
@@ -155,7 +155,7 @@ 
 

  mouse-click. Since SSSD knows that it is called by gdm because of the
 

  PAM service name, e.g. gdm-smartcard, it would be possible to send the
 

  certificate data with a new messages style, e.g.
 

- PAM\_SELECTON\_LIST\_ITEM like the Linux specific PAM\_RADIO\_TYPE. Then
 

+ PAM\_SELECTON\_LIST\_ITEM like the GNU/Linux specific PAM\_RADIO\_TYPE. Then
 

  gdm would be able to display the certificate selection in a more
 

  suitable way, e.g. similar to the selection of user names.

file modified
+1 -1 
@@ -67,7 +67,7 @@ 
 

  service.
 

  

  The change in the responders' common code is quite trivial, just change
 

- the sss\_process\_init code to call activate\_unix\_sockets() istead of
 

+ the sss\_process\_init code to call activate\_unix\_sockets() instead of
 

  set\_unix\_socket(). Something like: ::
 

  

      -    ret = set_unix_socket(rctx, conn_setup);

file modified
+5 -5 
@@ -71,7 +71,7 @@ 
 

  

      # sssctl domain-status $domain [--online, --last-request, --active-server, --servers]
 

      Online status: Online/Offline
 

-     Active server: $currently-conected-server (server status, port status, resolver status)
 

+     Active server: $currently-connected-server (server status, port status, resolver status)
 

  

      Primary servers:
 

          first.example.com (server status, port status, resolver status)
 
@@ -186,23 +186,23 @@ 
 

  ~~~~~~~~~
 

  

  -  **Q1**: [Domain; Last request] What would be preferred number of
 

-    request to be printed? Do we wan't a parameter for this in sssd.conf
 

+    request to be printed? Do we want a parameter for this in sssd.conf
 

     or even make it possible to change this value dynamically?
 

  

     -  Start with fixed number of 10 request and keep it unless a bigger
 

-       requirenment comes.
 

+       requirement comes.
 

  

  -  **Q2**: [Domain; Server list] Is it enough to print only active
 

     server or do we want full list of primary and backup servers as well?
 

  

     -  Print full list containing also discovered servers.
 

  

- -  **Q3**: [Domain; Server list] Do we want to also print IP adresses?
 

+ -  **Q3**: [Domain; Server list] Do we want to also print IP addresses?
 

  

     -  Not needed.
 

  

  -  **Q4**: [Talloc report] Should we provide parameter $file or should
 

-    we hardcod the path as SSSD logs directory, generating name from
 

+    we hardcode the path as SSSD logs directory, generating name from
 

     component and time?
 

  

     -  Provide a file parameter but default to log directory.

file modified
+2 -2 
@@ -67,8 +67,8 @@ 
 

     name of searched domain; second call get\_domains if domain cannot be
 

     found with force flag and name of searched domain)
 

  

- The first task must be solved first but is only a minor effort.The other
 

- two must wait on the first but also require some more work.
 

+ The first task must be solved first but is only a minor effort. The other
 

+ two must wait for the first but also require some more work.
 

  

  For the first implementation it is sufficient that sub-domains work only
 

  if the user name is fully qualified and that the domain name has to be

file modified
+1 -1 
@@ -102,7 +102,7 @@ 
 

  

     #. refresh rules per host, where entryUSN > currentHighestUSN
 

     #. *sudoLastSmartRefreshTime* := current time
 

-    #. nextrefrest := (current time +
 

+    #. nextrefresh := (current time +
 

        *ldap\_sudo\_changed\_refresh\_interval*)
 

     #. **if** nextrefresh >= *sudoNextFullRefreshTime* AND nextrefresh <
 

        (*sudoNextFullRefreshTime* +

file modified
+1 -1 
@@ -97,7 +97,7 @@ 
 

  

  A more technical extension of the previous section. Might include
 

  low-level details, such as C structures, function synopsis etc. In case
 

- of very trivial features (e.g a new option), this section can be merged
 

+ of very trivial features (e.g. a new option), this section can be merged
 

  with the previous one.
 

  

  Configuration changes

file modified
+3 -3 
@@ -5,7 +5,7 @@ 
 

  ---------------
 

  

  Since version 1.8 SUDO supports replacing standard policy behaviour
 

- usign plugins.
 

+ using plugins.
 

  

  Referral plugin API documentation can be found here:
 

  `http://www.gratisoft.us/sudo/man/1.8.2/sudo\_plugin.man.html <http://www.gratisoft.us/sudo/man/1.8.2/sudo_plugin.man.html>`__
 
@@ -104,8 +104,8 @@ 
 

  **user\_info** provided in open() function by SUDO (see plugin API
 

  open())
 

  

- Reponse
 

- ~~~~~~~
 

+ Response
 

+ ~~~~~~~~
 

  

  Byte array with format: ::

file modified
+2 -2 
@@ -76,7 +76,7 @@ 
 

  -  *sudoNotBefore* ~ sudoNotBefore
 

  -  *sudoOption* ~ sudoOption
 

  

- The following attibures have a special meaning and can contain only
 

+ The following attributes have a special meaning and can contain only
 

  value "all". For example if cmdCategory is present, it is equivalent to
 

  sudoCommand=ALL.
 

  
@@ -125,7 +125,7 @@ 
 

  ^^^^^^^^^^^^^
 

  

  -  download everything under cn=sudo,$dc that applies to this host newer
 

-    than last usn value
 

+    than last USN value
 

  -  if new command or command group is downloaded store it only if it is
 

     present in changed rule
 

  -  if a rule contains command or command group that is not yet present

file modified
+8 -8 
@@ -14,26 +14,26 @@ 
 

  

  3. Each sudoRole object supports following attributes:
 

  

-     | **sudoUser** - A user name, uid (prefixed with '#'), Unix group
 

+     | **sudoUser** - A user name, uid (prefixed with '#'), UNIX group
 

        (prefixed with a '%') or user netgroup (prefixed with a '+').
 

  

      | **sudoHost** - A host name, IP address, IP network, or host
 

        netgroup (prefixed with a '+'). The special value ALL will match
 

        any host.
 

  

-     | **sudoCommand** - A Unix command with optional command line
 

+     | **sudoCommand** - A UNIX command with optional command line
 

        arguments and wild chars.
 

  

      | **sudoOption** – Specifies options to be enabled or disabled as in
 

        the sudoers file.
 

  

      | **sudoRunAsUser** - A user name or uid (prefixed with '#') that
 

-       commands may be run as or a Unix group (prefixed with a '%') or
 

+       commands may be run as or a UNIX group (prefixed with a '%') or
 

        user netgroup (prefixed with a '+') that contains a list of users
 

        that commands may be run as. The special value ALL will match any
 

        user.
 

  

-     | **sudoRunAsGroup** - A Unix group or gid (prefixed with '#') that
 

+     | **sudoRunAsGroup** - A UNIX group or gid (prefixed with '#') that
 

        commands may be run as. The special value ALL will match any
 

        group.
 

  
@@ -75,7 +75,7 @@ 
 

      The anatomy of sudo is as follows:
 

  

      when you type 'sudo cmd' sudo is going to lookup in ldap to try and
 

-     find the user posix groups and the user/host Nisnetgroup where the
 

+     find the user POSIX groups and the user/host Nisnetgroup where the
 

      user is a member. Then it is going to do an ldap search in the
 

      ou=SUDOers container looking for any rule that matches that user or
 

      his usergroups. when it matches some rules, it goes down that list
 
@@ -88,7 +88,7 @@ 
 

      this anatomy.
 

  

      For the successful validation we need to know the nisnetgroups and
 

-     posix groups that a user/host is a member of. So that we need to
 

+     POSIX groups that a user/host is a member of. So that we need to
 

      cache the host/user-> nisgroup and user->posixgroups along with all
 

      sudoRole objects inside the SUDOers container that references to the
 

      specified command.
 
@@ -103,7 +103,7 @@ 
 

        search in DN: cn=accounts,dc=example,dc=com. Here we can use
 

        memberof plugin to resolve the user groups and the host groups. This
 

        step is already implemented inside the sssd. In order to include the
 

-       support for nis net groups we can add one more filter to the query
 

+       support for NIS net groups we can add one more filter to the query
 

        that searches for the user groups. The query is ::
 

  

          (|
 
@@ -114,7 +114,7 @@ 
 

        This will give you the netgroup that the user/host is a member of.
 

  

      - In the second phase we apply the search to filter the rules
 

-       that applies to the user/host posix groups and netgroups found
 

+       that applies to the user/host POSIX groups and netgroups found
 

        in step1. Search returns ::
 

  

          (\|(sudoBaseCommand=cmd)(sudoCommand=ALL)) where the

file modified
+2 -2 
@@ -2,7 +2,7 @@ 
 

  ====================
 

  

  This Design document talks about the integration of SUDO support to
 

- SSSD through plugin system.The SUDO can be used to check whether a
 

+ SSSD through plugin system. The SUDO can be used to check whether a
 

  user have rights to execute the instructions as another user. Using
 

  this plugin SUDO can be configured to use custom rules and policies.
 

  So that we can alter authorization rules so as to provide cached
 
@@ -62,7 +62,7 @@ 
 

  The lightweight plugin just forwards the sudo command request from
 

  the SUDO utility to the SSSD. The plugin is made using the
 

  plugin-API and connected to the sudo utility at the client side.
 

- When user types in the command with sudo (eg: sudo ls ) the sudo
 

+ When user types in the command with sudo (e.g.: sudo ls ) the sudo
 

  utility gives the chance for execution to the sudo plugin. The
 

  plugin calls the pam\_authenticate() from the pam library with pam
 

  service defined for sudo, to verify the user provided information.

file modified
+5 -5 
@@ -170,7 +170,7 @@ 
 

  The invalidate function is called when sudo is called with the -k or -K
 

  flag. This function will invalidate the credentials. i.e, the user
 

  credentials will be marked as invalid so that on the nest invocation of
 

- sudo user will be forcefuilly prompted undergo the authentication
 

+ sudo user will be forcefully prompted undergo the authentication
 

  procedures. The invalidate function should be NULL if the plugin does
 

  not support credential caching.
 

  
@@ -179,8 +179,8 @@ 
 

  @param[in] remove - If the remove flag is set, the plugin may remove the
 

  credentials instead of simply invalidating them.
 

  

- Conversation API & Printf-style fuctions
 

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ Conversation API & Printf-style functions
 

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

  

  ::
 

  
@@ -252,7 +252,7 @@ 
 

  message\_type : is defined at "sss\_sudo\_cli.h" as **enum
 

  sudo\_item\_type**
 

  

- The message foramt will be: ::
 

+ The message format will be: ::
 

  

      start_header + message_container1 + message_container2 + ........ + message_containerN + stop_header.
 

  
@@ -302,6 +302,6 @@ 
 

  

      command                            SSS_SUDO_ITEM_COMMAND            command with its arguments to be executed
 

  

-     user's enviroment variables        SSS_SUDO_ITEM_USER_ENV           null terminated list of environment variables
 

+     user's environment variables       SSS_SUDO_ITEM_USER_ENV           null terminated list of environment variables
 

  

      client pid                         SSS_SUDO_ITEM_CLI_PID            client's pid

file modified
+2 -2 
@@ -22,7 +22,7 @@ 
 

  -  For admins - The format of data in sysdb is dependent on SSSD
 

     configuration. Changes in sssd.conf may render the cached data
 

     invalid, so admins have to remove the cache. In general, allowing an
 

-    option that should purely control the ouput format to also control
 

+    option that should purely control the output format to also control
 

     the database layout is a very bad idea.
 

  

  -  For code maintainers - The code that deals with SYSDB\_NAME attribute
 
@@ -113,7 +113,7 @@ 
 

     plugin to allow the user to bypass the module (maybe when an
 

     environment variable is set)
 

  

- Additionaly, because this update is risky, we should perform the update
 

+ Additionally, because this update is risky, we should perform the update
 

  on a copy of the database and only rename the copy when the upgrade
 

  finishes successfully. This would allow the admin to downgrade sssd back
 

  and still use the original database in the previous format.

file modified
+1 -1 
@@ -263,7 +263,7 @@ 
 

  

  How To Test
 

  -----------
 

- The easiest way to test is removing the service from sssd,conf's  ``services``
 

+ The easiest way to test is removing the service from sssd.conf's  ``services``
 

  line, enabling the service's socket and trying to use SSSD normally.
 

  

  See below an example of how to enable NSS and PAM sockets::

file modified
+3 -3 
@@ -37,7 +37,7 @@ 
 

     SYSDB\_HOMEDIR attribute.
 

  -  Update ``apply_subdomain_homedir()``
 

  

-    -  to parse AD home dirrctory from ldb\_msg
 

+    -  to parse AD home directory from ldb\_msg
 

     -  do not call ``store_homedir_of_user()`` if value of expanded home
 

        directory is an empty string.
 

  
@@ -54,14 +54,14 @@ 
 

  

  #. On SSSD in server mode
 

  

-    -  For AD user with posix attributes set home directory attribute
 

+    -  For AD user with POSIX attributes set home directory attribute
 

  

        -  in sssd.conf set ``subdomain_homedir`` option to '%o'
 

        -  invalidate cache (sss\_cache) and restart SSSD
 

        -  call ``getent passwd user`` and check that home directory
 

           reflects value from AD
 

  

-    -  For AD user ``without`` posix attributes
 

+    -  For AD user ``without`` POSIX attributes
 

  

        -  in sssd.conf set ``subdomain_homedir`` option to %o and
 

           ``fallback_homedir`` to /home/%u

file modified
+1 -1 
@@ -103,7 +103,7 @@ 
 

  -  Test and implement Root only access to files, and channel all access
 

     through sssd
 

  

-    -  Needed for openshift and similar containerized envs.
 

+    -  Needed for OpenShift and similar containerized envs.
 

  

  Authors
 

  ~~~~~~~

file modified
+5 -5 
@@ -22,7 +22,7 @@ 
 

  

  A web application, using the InfoPipe interface requests all users
 

  starting with the letter 'a' so the users can be displayed in the
 

- application UI on a sigle page. The SSSD must fetch and return all
 

+ application UI on a single page. The SSSD must fetch and return all
 

  matching user entries, but without requiring enumeration, which would
 

  pull down too many users.
 

  
@@ -168,9 +168,9 @@ 
 

  We also need to limit the number of entries returned from the server,
 

  otherwise the wildcard request might easily turn into a full
 

  enumeration. To this end, we will add a new configuration option
 

- ``wildcard_search_limit``. Internally, we would change the boolan
 

+ ``wildcard_search_limit``. Internally, we would change the boolean
 

  parameter of ``sdap_get_users_send`` to a tri-state that would control
 

- whether we expect only a single entry (ie don't use the paging control),
 

+ whether we expect only a single entry (i.e. don't use the paging control),
 

  multiple entries with a search limit (wildcard request) or multiple
 

  entries with no limit (enumeration). We need to make sure during
 

  implementation that it is discoverable via DEBUG messages that the upper
 
@@ -233,7 +233,7 @@ 
 

  

  Making sure the IPA provider in server mode is capable of returning
 

  wildcard entries and adding a wildcard-enabled function for the
 

- ``libnss_sss_idmap`` library would a prerequisity so that the extop
 

+ ``libnss_sss_idmap`` library would be a prerequisite so that the extop
 

  plugin can request multiple entries from the SSSD running in the server
 

  mode.
 

  
@@ -269,7 +269,7 @@ 
 

  When the InfoPipe API is ready, then testing will be done using the
 

  methods such as ListByName. Until then, the feature is not exposed or
 

  used anyway, so developers can test using a special command-line tool
 

- that would send the DP request directly. This tool wouldn't be commited
 

+ that would send the DP request directly. This tool wouldn't be committed
 

  to the git tree.
 

  

  Authors

file modified
+1 -1 
@@ -85,7 +85,7 @@ 
 

  

     -  after a comma
 

     -  before an operator
 

-    -  align the new line with the beginnigng of the expression at the
 

+    -  align the new line with the beginning of the expression at the
 

        same level in the previous line
 

     -  in case of long "if" statements, wrap the line before an operator
 

        and indent the new line

file modified
+6 -8 
@@ -43,7 +43,7 @@ 
 

  

      https://pagure.io/SSSD/sssd.git
 

  

- We also maintain a read-only mirror on github. ::
 

+ We also maintain a read-only mirror on GitHub. ::
 

  

      https://github.com/SSSD/sssd
 

  
@@ -241,8 +241,8 @@ 
 

      git add <path_to_file1> <path_to_file2> ...
 

      git commit
 

  

- Before submitting a patch, always make sure it doesn't break SSSD
 

- tests <https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html#running-integration-tests-locally>`_
 

+ Before submitting a patch, always make sure it doesn't break `SSSD
 

+ tests <https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html#running-integration-tests-locally>`__
 

  and applies to the latest upstream master branch. You will want to
 

  rebase to this branch and fix any merge conflicts (in case someone else
 

  changed the same code). ::
 
@@ -264,10 +264,8 @@ 
 

  patch makes the ``resolv_is_address()`` function public with tests and the
 

  other adds the function in the SSSD providers.
 

  

- .. FIXME: Add a link to GithubWorkflow as soon as it gets migrated.
 

- 

- Once your changes are ready for submission, submit it via a github pull
 

- request.
 

+ Once your changes are ready for submission, submit it via a `GitHub pull
 

+ request <https://docs.pagure.org/SSSD.sssd/newcomers/getting_started.html#github-workflow>`__.
 

  

  If a patch isn't accepted on the first review, you will need to modify
 

  it and resubmit it. When this happens, you will want to amend your
 
@@ -283,7 +281,7 @@ 
 

  and follow the directions in the interactive rebase to modify specific
 

  patches.
 

  

- Then just re-push the patches to github, the pull request will be
 

+ Then just re-push the patches to GitHub, the pull request will be
 

  refreshed automatically.
 

  

  Patch metadata

file modified
+3 -3 
@@ -2,7 +2,7 @@ 
 

  ==================================================
 

  

  This document describes how the different SSSD processes communicate
 

- between one another with a special epmhasis on the Sbus protocol. In
 

+ between one another with a special emphasis on the Sbus protocol. In
 

  addition, the document describes the interfaces SSSD might use to
 

  communicate with external libraries or programs, such as libkrb5 or how
 

  are the requests from NSS and PAM modules received.
 
@@ -187,14 +187,14 @@ 
 

  This means, there is ongoing sbus communication even though the sssd is
 

  otherwise idle.
 

  

- Unix signals
 

+ UNIX signals
 

  ------------
 

  

  Apart from the internal SBUS communication, SSSD also uses UNIX signals
 

  for certain functionality - either for communication with external
 

  utilities or for cases where the SBUS communication might not work, such
 

  as an unresponsive worker process. Below is an overview of the supported
 

- signals and their use. The singal handlers are typically integrated with
 

+ signals and their use. The signal handlers are typically integrated with
 

  the tevent event loop using its ``tevent_add_signal`` call.
 

  

  SIGTERM

file modified
+3 -3 
@@ -33,7 +33,7 @@ 
 

  

         zanata-cli push -s .
 

  

-  #. If this is is the last pre-release (e.g. final beta before bugfix-only phase) String Freeze should be announced on the sssd-devel list and the Zanata site.
 

+  #. If this is the last pre-release (e.g. final beta before bugfix-only phase) String Freeze should be announced on the sssd-devel list and the Zanata site.
 

  

  Tag and sign the release
 

  ------------------------
 
@@ -42,7 +42,7 @@ 
 

  

         git tag -s sssd-1_3_0
 

  

-  #. Push the tag. Pus the tag explictly instead of using ``--tags`` so that you do not push extraneous tags by mistake::
 

+  #. Push the tag. Push the tag explicitly instead of using ``--tags`` so that you do not push extraneous tags by mistake::
 

  

         git push origin sssd-1_3_0
 

  
@@ -141,7 +141,7 @@ 
 

  

         git diff previoustag..newtag -- contrib/sssd.spec.in
 

  

-  #. For each release, if any changes have occured in documentation, such as new options, options changing default values, the release notes should include a section that summarizes there changes::
 

+  #. For each release, if any changes have occurred in documentation, such as new options, options changing default values, the release notes should include a section that summarizes there changes::
 

  

         git diff previoustag..newtag -- src/man

file modified
+9 -9 
@@ -69,9 +69,9 @@ 
 

  In order to do so, go to our `SSSD's github page
 

  <https://github.com/SSSD/sssd>`__, log in with your GitHub account
 

  and click in the ``Fork`` button. It will create a sssd fork in your
 

- own github account. Once it's done ...
 

+ own GitHub account. Once it's done ...
 

  

- - Clone your own SSSD's fork:
 

+ - Clone your own SSSD fork:
 

    ``$ git clone git@github.com:<your_username>/sssd.git``
 

  

  - Add `SSSD's github repo <https://github.com/SSSD/sssd>`__ as a
 
@@ -87,18 +87,18 @@ 
 

  <https://docs.pagure.org/SSSD.sssd/developers/contribute.html>`__ ,
 

  have made your changes following our `Coding guidelines
 

  <https://docs.pagure.org/SSSD.sssd/developers/coding_style.html>`__ and
 

- have commited your changes following our `git-commit-template
 

+ have committed your changes following our `git-commit-template
 

  <https://github.com/SSSD/sssd/blob/master/.git-commit-template>`__ and
 

  have implemented some unit/integration tests to ensure we're never hit
 

- this very same issue again in the future ... now is time to open your
 

+ by this very same issue again in the future ... now is time to open your
 

  pull-request.
 

  

- The way the author of this documment does is:
 

+ The way the author of this document does is:
 

  

- - Push the changes to *your* SSSD's repo:
 

+ - Push the changes to *your* SSSD repo:
 

    ``$ git push origin wip/meaningful_name``
 

  

- - Go to yours GitHub page;
 

+ - Go to your GitHub page;
 

  

  - Open the Pull Request by using GitHub's web UI.
 

  
@@ -129,7 +129,7 @@ 
 

    merged to SSSD's repo without any changes.
 

  

  - Changes are requested: it means that something has to be changed in
 

-   your patch before it gets merged to SSSD; s repo. In this case,
 

+   your patch before it gets merged to SSSD's repo. In this case,
 

    you'd like to:
 

  

    - Carefully read and understand the changes required by the reviewer;
 
@@ -142,7 +142,7 @@ 
 

        - Please, do *not* privately ping the developers for all your
 

          doubts. Discussing in the pull-request is a better and more
 

          transparent way to do so *and* also doesn't interrupt the
 

-         developr from any other task they are doing.
 

+         developer from any other task they are doing.
 

  

    - Make the changes in your patches;

file modified
+15 -15 
@@ -100,7 +100,7 @@ 
 

  

     * In general, search for a user entry that has the POSIX attributes
 

       set on port 3268 of a Domain Controller
 

-    * You can use the LDP tool from Windows or later, when the Linux machine
 

+    * You can use the LDP tool from Windows or later, when the GNU/Linux machine
 

       is joined, simply ``ldapsearch``
 

  

  Client configuration
 
@@ -115,7 +115,7 @@ 
 

  DNS configuration
 

  ^^^^^^^^^^^^^^^^^
 

  

- It is recommended that the Linux client you are enrolling is able to
 

+ It is recommended that the GNU/Linux client you are enrolling is able to
 

  resolve the SRV records the Active directory publishes. In order to do
 

  so, the clients would typically point at the AD DCs in
 

  ``/etc/resolv.conf``. You can verify this using dig::
 
@@ -129,12 +129,12 @@ 
 

  or, if only some DCs from that trusted domain are reachable, define a
 

  per-subdomain section in the config file (see below for an example).
 

  

- Joining the Linux client using realmd
 

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

+ Joining the GNU/Linux client using realmd
 

+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

  

  The realmd (Realm Discovery) project is a system service that manages
 

  discovery and enrolment to several centralized domains including AD or
 

- IPA. realmd is included in several popular Linux distributions including:
 

+ IPA. realmd is included in several popular GNU/Linux distributions including:
 

  

  * Red Hat Enterprise Linux 7.0 and later
 

  * Fedora 19 and later
 
@@ -176,7 +176,7 @@ 
 

    * Pros: Very simple. Supports nested groups, because the user entry
 

      is fully evaluated on login first and then the simple access
 

      provider runs.
 

-   * Cons: Does not support any more expresiveness than allow/deny a
 

+   * Cons: Does not support any more expressiveness than allow/deny a
 

      user or a group.
 

  

  * ``access_provider=ad``
 
@@ -184,7 +184,7 @@ 
 

    * Pros: Supports fully centralized environments by using GPOs for
 

      access control
 

    * Cons: Not supported with older releases. In a mixed environment,
 

-     sometimes using the same options for Linux and Windows machines might
 

+     sometimes using the same options for GNU/Linux and Windows machines might
 

      not be desirable.
 

  

  * ``ad_access_filter``
 
@@ -200,10 +200,10 @@ 
 

  stack alongside SSSD or when defining access control by means SSSD doesn't
 

  support (such as per netgroup).
 

  

- Joining the Linux client to the AD domain manually
 

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

+ Joining the GNU/Linux client to the AD domain manually
 

+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

  

- The manual process of joining the Linux client to the AD domain consists
 

+ The manual process of joining the GNU/Linux client to the AD domain consists
 

  of several steps:
 

  

  * Acquiring the host keytab with Samba or create it using ``ktpass`` on the
 
@@ -215,11 +215,11 @@ 
 

  Creating Host Keytab with Samba
 

  """""""""""""""""""""""""""""""
 

  

- On the Linux client with properly configured ``/etc/krb5.conf`` (see below)
 

+ On the GNU/Linux client with properly configured ``/etc/krb5.conf`` (see below)
 

  and suitable ``/etc/samba/smb.conf``:
 

  

  /etc/krb5.conf
 

- """"""""""""""
 

+ ''''''''''''''
 

  

  Adjust the contents to match your realm data::
 

  
@@ -355,7 +355,7 @@ 
 

  

  Configuring SSSD consists of several steps:
 

  

- * Install the ``sssd-ad`` package on the Linux client machine
 

+ * Install the ``sssd-ad`` package on the GNU/Linux client machine
 

  * Make configuration changes to the files below
 

  * Start the ``sssd`` service
 

  
@@ -501,7 +501,7 @@ 
 

  Understanding Kerberos & Active Directory
 

  -----------------------------------------
 

  

- It is important to understand that (unlike Linux MIT based KDC) Active
 

+ It is important to understand that (unlike GNU/Linux MIT based KDC) Active

I am not sure about this one. Maybe it was caused by mass conversion with sed :-) "GNU/Linux MIT based KDC" sounds weird to me.

sobek commented 6 years ago

It was a deliberate change based on https://web.mit.edu/kerberos/krb5-devel/doc/mitK5features.html :)

I can see on that page.

Supported platforms / OS distributions:
* GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86

But

Collection support to the KEYRING credential cache type on Linux Credential cache

It confirms my assuption whether it is used as a noun or as an addjective

 
  Directory based KDC divides Kerberos principals into two groups:
 

  

  * *User Principals* - usually equals to the ``sAMAccountname`` attribute of
 
@@ -542,7 +542,7 @@ 
 

   service sssd start
 

   getent passwd administrator@ad.example.com
 

  

- f all looks well on your system after this, you know that sssd is able o
 

+ If all looks well on your system after this, you know that sssd is able o
 

  use the kerberos and ldap services you've configured.
 

  

  The example configuration enforces the use of *fully qualified names*.

file modified
+4 -4 
@@ -19,7 +19,7 @@ 
 

  What platforms run SSSD?
 

  ^^^^^^^^^^^^^^^^^^^^^^^^
 

  

- We are currently aware of the following Linux distributions shipping
 

+ We are currently aware of the following GNU/Linux distributions shipping

Wiki says Linux distributions

https://en.wikipedia.org/wiki/List_of_Linux_distributions

sobek commented 6 years ago

Please, see first paragraph of https://en.wikipedia.org/wiki/Linux
and all of https://en.wikipedia.org/wiki/GNU/Linux_naming_controversy

I prefer to use "GNU/Linux" for the operating system and "Linux" only for the kernel.
Words and thinking are related. With GNU/Linux people get to know GNU (sadly most users don't) and it helps to differentiate, f.e. dependence on operating system or on kernel; think about "Debian GNU/kFreeBSD" or "Android".

But in this case "Linux" is neither kernel nor "OS". Therefore I shared link to wiki. The only page where I was able to find "GNU/Linux distribution" is surprisingly gnu.org.

But it is really a nitpick and i do not prefer any of those. It is just really uncommon to see it as an adjective.

[1] https://www.gnu.org/distros/free-distros.html

 
  some version of SSSD.
 

  

  -  `Fedora Project <http://fedoraproject.org>`__ - This is the
 
@@ -35,7 +35,7 @@ 
 

     `AUR <http://aur.archlinux.org/packages.php?K=sssd>`__
 

  

  In theory, SSSD should compile and run (hopefully without modification)
 

- on any modern Linux distribution. Non-Linux platforms such as the BSD
 

+ on any modern GNU/Linux distribution. Non-Linux platforms such as the BSD

the same here

 
  distributions are not yet fully supported, though some work is ongoing
 

  to port SSSD to
 

  `FreeBSD <http://portsmon.freebsd.org/portoverview.py?category=security&portname=sssd>`__
 
@@ -51,7 +51,7 @@ 
 

  (long-term maintenance) are supported for longer time than other
 

  releases with fixes for important bugs and security patches.
 

  

- The regular releases are more frequent than LTM releases and are intened
 

+ The regular releases are more frequent than LTM releases and are intended
 

  for users who like to use the latest functionality. The LTM releases are
 

  targeted at users who prefer to run very stable codebase and don't need
 

  the latest features.
 
@@ -139,7 +139,7 @@ 
 

  What LDAP schema should I use?
 

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

  

- The LDAP schema defines the set of default attribute names retreived on
 

+ The LDAP schema defines the set of default attribute names retrieved on
 

  the server as well as meaning of some of the attributes, notably
 

  membership attributes. The two most widely used schemas are rfc2307 and
 

  rfc2307bis with rfc2307 being the default. When using the rfc2307

file modified
+10 -10 
@@ -10,7 +10,7 @@ 
 

  for performance and ease of use reasons. Please see :doc:`ad_provider` for
 

  a reference. There are two reasons where you might still want to use the
 

  LDAP provider, though. One is if you are using a *very* old SSSD version,
 

- the other reason is if you cannot or do not want join your Linux clients
 

+ the other reason is if you cannot or do not want join your GNU/Linux clients

I think it is the same case as about "Linux" should be an adjective here. Therefore probably only Linx. (maybe linux)?

Correct me if I'm wrong. I am not English native speaker.

 
  to the AD domain.
 

  

  Windows Server Setup
 
@@ -57,7 +57,7 @@ 
 

  Creating Service Keytab with Samba
 

  """"""""""""""""""""""""""""""""""
 

  

- On the Linux client with properly configured ``/etc/krb5.conf`` (see
 

+ On the GNU/Linux client with properly configured ``/etc/krb5.conf`` (see
 

  below) and suitable ``/etc/samba/smb.conf``::
 

  

      [global]
 
@@ -109,7 +109,7 @@ 
 

     # chmod 0600 /etc/krb5.keytab
 

     # restorecon /etc/krb5.keytab
 

  

- See the ``Linux Client Setup`` section for verifying the keytab file and
 

+ See the ``GNU/Linux Client Setup`` section for verifying the keytab file and
 

  the example sssd.conf below for the needed SSSD configuration.
 

  

  Using DN/Password Binds for LDAP Searches
 
@@ -145,10 +145,10 @@ 
 

  -  Set the ``Home Directory`` to ``/home/aduser``
 

  -  Set ``Primary Group Name/GID`` to ``unixusers``
 

  

- Linux Client Setup
 

- ------------------
 

+ GNU/Linux Client Setup
 

+ ----------------------
 

  

- -  Install ``sssd`` package on the Linux client machine
 

+ -  Install ``sssd`` package on the GNU/Linux client machine
 

  -  Make configuration changes to the files below
 

  -  Start the ``sssd`` service
 

  
@@ -197,7 +197,7 @@ 
 

  If you generated your keytab with a different createupn argument, it's
 

  possible this won't work and the following works instead. This is absolutely
 

  fine as far as sssd is concerned, and you can instead generate a ticket
 

- for the upn you have created::
 

+ for the UPN you have created::
 

  

      # kinit -k -t /etc/krb5.keytab nfs/client.ad.example.com@AD.EXAMPLE.COM
 

  
@@ -213,8 +213,8 @@ 
 

  After both ``kinit`` and ``ldapsearch`` work properly proceed to actual
 

  SSSD configuration.
 

  

- ``/etc/sssd/sssd.conf``
 

- ^^^^^^^^^^^^^^^^^^^^^^^
 

+ /etc/sssd/sssd.conf
 

+ ^^^^^^^^^^^^^^^^^^^
 

  

  Example ``sssd.conf`` configuration, additional options can be added as
 

  needed::
 
@@ -388,7 +388,7 @@ 
 

  Understanding Kerberos & Active Directory
 

  -----------------------------------------
 

  

- It is important to understand that (unlike Linux MIT based KDC) Active
 

+ It is important to understand that (unlike GNU/Linux MIT based KDC) Active
 

  Directory based KDC divides Kerberos principals into two groups:
 

  

  -  *User Principals* - usually equals to the sAMAccountname attribute of

file modified
+1 -1 
@@ -376,7 +376,7 @@ 
 

  -  cache\_req tests: rename test\_user to test\_user\_by\_name
 

  -  cache\_req tests: define user name constant
 

  -  cache\_req: preparations for different input type
 

- -  cache\_req: add support for user by uid
 

+ -  cache\_req: add support for user by UID
 

  -  cache\_req: add support for group by name
 

  -  cache\_req: remove default branch from switches
 

  -  cache\_req: add support for group by id

file modified
+1 -1 
@@ -16,7 +16,7 @@ 
 

  -  A socket leak in case SSSD couldn't establish a connection to an LDAP
 

     server was fixed
 

  -  SSSD's memory cache now behaves better when used by long-running
 

-    applications such as system deamons and the administrator invalidates
 

+    applications such as system daemons and the administrator invalidates
 

     the cache
 

  -  The SSSDConfig Python API no longer throws an exception when
 

     config\_file\_version is missing

file modified
+1 -1 
@@ -58,7 +58,7 @@ 
 

     a high RID values. Most deployments can use the default value of this
 

     option.
 

  -  Several PAM services were added to the lists that are used to map
 

-    Windows logon services to Linux PAM services. The newly added PAM
 

+    Windows logon services to GNU/Linux PAM services. The newly added PAM
 

     services include login managers (``lightdm``, ``lxdm``, ``sddm`` and
 

     ``xdm``) as well as the ``cockpit`` service.
 

  -  The AD machine credentials renewal task can be fine-tuned using the

file modified
+2 -2 
@@ -206,8 +206,8 @@ 
 

        * NEGCACHE: Descend to all subdomains when adding user/groups
 

        * CACHE_REQ: Don't error out when searching by id = 0
 

        * NSS: Don't error out when deleting an entry which has id = 0 from the memcache
 

-       * NEGCACHE: Add root's uid/gid to ncache
 

-       * TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache
 

+       * NEGCACHE: Add root's UID/GID to ncache
 

+       * TEST_NEGCACHE: Ensure root's UID and GID are always added to ncache
 

        * CONFDB: Set a default value for subdomain_refresh_interval in case an invalid value is set
 

        * SDAP: Add a debug message to explain why a backend was marked offline
 

        * SDAP: Don't call be_mark_offline() because sdap_id_conn_data_set_expire_timer() failed

file modified
+5 -5 
@@ -70,7 +70,7 @@ 
 

  

      ldbsearch -H /var/lib/sss/db/cache_$domain.ldb -b cn=sysdb '$filter'
 

  

- -  SSSD cache uses LDAP-like format equal to sudo format descibred in
 

+ -  SSSD cache uses LDAP-like format equal to sudo format described in
 

     `man
 

     sudoers.ldap <https://www.sudo.ws/man/1.8.15/sudoers.ldap.man.html>`__
 

  
@@ -86,7 +86,7 @@ 
 

  

  -  Were all matching rules stored? ::
 

  

-     [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache
 

+     [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfully stored in cache
 

  

  -  What filter was used to fetch rules from server? ::
 

  
@@ -165,7 +165,7 @@ 
 

  **a) Setting global options with cn=defaults when sudo rules are stored
 

  on an IPA server**
 

  

- To immitate global options, create a rule named ``cn=defaults`` in LDAP tree
 

+ To imitate global options, create a rule named ``cn=defaults`` in LDAP tree
 

  or rule named ``defaults`` in IPA and ``set`` sudoOption attribute as you wish.
 

  

  **b) !authenticate does not work**
 
@@ -225,7 +225,7 @@ 
 

  

  We switched to IPA sudo rules schema stored at ``cn=sudo`` in SSSD 1.13.4.
 

  The slapi-nis plugin that is used to generate the compat tree
 

- ``ou=sudoers`` unfold members of non-posix group and stores each as
 

+ ``ou=sudoers`` unfold members of non-POSIX group and stores each as
 

  ``sudoUser: member`` value. This makes sudo rules work even with non-POSIX
 

  group if the compat tree is used.
 

  
@@ -235,7 +235,7 @@ 
 

  

  The correct way to reference a non-POSIX group in sudo rule is to
 

  include it by a POSIX one which is referenced by sudo as "sudorule --->
 

- posix group <--- non-posix group".
 

+ POSIX group <--- non-POSIX group".
 

  

  Asking for help
 

  ---------------

file modified
+7 -7 
@@ -11,7 +11,7 @@ 
 

  

  The SSSD provides two major features - obtaining information about users
 

  and authenticating users. Each of these hooks into different system APIs
 

- and should be viewed separately. However, a successfull authentication can
 

+ and should be viewed separately. However, a successful authentication can
 

  only be performed when the information about a user can be retrieved, so if
 

  authentication doesn't work in your case, please make sure you can at least
 

  obtain info from about the user with ``getent passwd $user`` and ``id``.
 
@@ -309,16 +309,16 @@ 
 

       worker processes and was expecting `pongs`. If the target process failed
 

       to reply three times, it was killed. Starting with upstream version
 

       1.14, the ping-pongs were removed in favor of in-process `watchdog`.
 

-      This change has consenquence for the admin in the sense that with
 

+      This change has consequence for the admin in the sense that with
 

       the older versions, the most useful debug source was the ``sssd.log``
 

       file, with more recent versions, it's the per-process log file. In both
 

       cases, raising the ``timeout`` value works.
 

   * For configuration with ``id_provider=ldap`` and ``auth_provider=ldap``.
 

-    retrieving user information works, but authetication does not
 

+    retrieving user information works, but authentication does not
 

  

     * Please note that user authentication is typically retrieved over
 

-      unecrypted channel (unless ``ldap_id_use_start_tls`` is enabled), but
 

-      authentication always happens over an ecrypted channel. Checking for
 

+      unencrypted channel (unless ``ldap_id_use_start_tls`` is enabled), but
 

+      authentication always happens over an encrypted channel. Checking for
 

       certificate errors should be the first step. To test authentication
 

       manually, you can perform a base-search against the user entry together
 

       with ldapsearch's ``-Z`` option.
 
@@ -444,7 +444,7 @@ 
 

  Troubleshooting Authentication, Password Change and Access Control
 

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

  

- In order for authentication to be successfull, the user information must
 

+ In order for authentication to be successful, the user information must
 

  be accurately provided first. Before debugging authentication, please
 

  make sure the user information is resolvable with ``getent passwd $user`` or
 

  ``id $user``. Failing to retrieve the user info would also manifest in the
 
@@ -480,7 +480,7 @@ 
 

      requests, the authentication/access control is typically not cached and
 

      always contacts the server. This might manifest as a slowdown in some
 

      cases, but it's quite important, because the supplementary groups
 

-     in Linux are only set during login time.
 

+     in GNU/Linux are only set during login time.
 

  

      * The PAM responder logs should show the request being received from
 

        the pam stack and then forwarded to the back end.

no initial comment

ACK. I scrolled through the large diff (thank you very much for this contribution!) with git diff --word-diff=plain and all the changes I saw made sense.

I'll let some of the other SSSD developers voice their opinion rather than merging a patch on my own on a Sunday, but I'm glad for these changes, thanks!

Sure, no problem.
For what it is worth, issue SSSD/sssd#3555 was the starter.

I am not sure about this one. Maybe it was caused by mass conversion with sed :-) "GNU/Linux MIT based KDC" sounds weird to me.

the same here

I think it is the same case as about "Linux" should be an adjective here. Therefore probably only Linx. (maybe linux)?

Correct me if I'm wrong. I am not English native speaker.

Really nice work.

I had few comments about Linux and GNU/Linux and I would appreciate a help/review from @sgallagh :-)

Please, see first paragraph of https://en.wikipedia.org/wiki/Linux
and all of https://en.wikipedia.org/wiki/GNU/Linux_naming_controversy

I prefer to use "GNU/Linux" for the operating system and "Linux" only for the kernel.
Words and thinking are related. With GNU/Linux people get to know GNU (sadly most users don't) and it helps to differentiate, f.e. dependence on operating system or on kernel; think about "Debian GNU/kFreeBSD" or "Android".

Neither am I an English native speaker. :)
To me it seems to refer to the operating system, not the Linux kernel.

EDIT: The previous comments were added using browser. This comment was sent by email. Due to the hash-like email address I thought it would append to the previous comment for line 6 of users/ldap_with_ad.rst. Alas it did not.
Edited 6 years ago by sobek

I can see on that page.

Supported platforms / OS distributions:
* GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86

But

Collection support to the KEYRING credential cache type on Linux Credential cache

It confirms my assuption whether it is used as a noun or as an addjective

But in this case "Linux" is neither kernel nor "OS". Therefore I shared link to wiki. The only page where I was able to find "GNU/Linux distribution" is surprisingly gnu.org.

But it is really a nitpick and i do not prefer any of those. It is just really uncommon to see it as an adjective.

[1] https://www.gnu.org/distros/free-distros.html

OK lets merge it :-)
If there are people who really do not like "GNU/Linux" as an adjective then they can send PR :-)

Pull-Request has been merged by lslebodn
6 years ago
Metadata
None
No Tags
Changes Summary 78
+2 -2
file changed
design_pages/accounts_service.rst
+6 -6
file changed
design_pages/active_directory_access_control.rst
+2 -2
file changed
design_pages/active_directory_dns_updates.rst
+1 -1
file changed
design_pages/active_directory_fixed_dns_site.rst
+15 -15
file changed
design_pages/active_directory_gpo_integration.rst
+1 -1
file changed
design_pages/async_winbind.rst
+8 -8
file changed
design_pages/autofs_integration.rst
+1 -1
file changed
design_pages/backend_dns_helpers.rst
+1 -1
file changed
design_pages/blank_template.rst
+2 -2
file changed
design_pages/config_enhancements.rst
+10 -10
file changed
design_pages/data_provider.rst
+3 -3
file changed
design_pages/dbus_domains.rst
+10 -10
file changed
design_pages/dbus_responder.rst
+1 -1
file changed
design_pages/dbus_signal_property_changed.rst
+1 -1
file changed
design_pages/dbus_simple_api.rst
+3 -3
file changed
design_pages/dbus_users_and_groups.rst
+1 -1
file changed
design_pages/ddns_messages_update.rst
+7 -7
file changed
design_pages/fast_nss_cache.rst
+2 -2
file changed
design_pages/files_provider.rst
+2 -2
file changed
design_pages/fleet_commander_integration.rst
+1 -1
file changed
design_pages/global_catalog_lookups.rst
+4 -4
file changed
design_pages/idmap_auto_assign_new_slices.rst
+15 -15
file changed
design_pages/integrate_sssd_with_cifs_client.rst
+2 -2
file changed
design_pages/ipa_server_mode.rst
+8 -8
file changed
design_pages/kcm.rst
+1 -1
file changed
design_pages/ldap_referrals.rst
+1 -1
file changed
design_pages/local_group_members_for_rfc2307.rst
+6 -6
file changed
design_pages/lookup_users_by_certificate.rst
+2 -2
file changed
design_pages/lookup_users_by_certificate_part2.rst
+4 -4
file changed
design_pages/matching_and_mapping_certificates.rst
+1 -1
file changed
design_pages/netgroups.rst
+4 -4
file changed
design_pages/non_posix_support.rst
+2 -2
file changed
design_pages/not_root_sssd.rst
+5 -5
file changed
design_pages/nss_responder_id_mapping_calls.rst
+6 -6
file changed
design_pages/nss_with_kerberos_principal.rst
+2 -2
file changed
design_pages/one_fifteen_code_refactoring.rst
+3 -3
file changed
design_pages/one_fourteen_performance_improvements.rst
+3 -3
file changed
design_pages/one_way_trusts.rst
+1 -1
file changed
design_pages/open_lmi_provider.rst
+1 -1
file changed
design_pages/pam_conversation_for_otp.rst
+13 -13
file changed
design_pages/prompting_for_multiple_authentication_types.rst
+2 -2
file changed
design_pages/restrict_domains_in_pam.rst
+12 -12
file changed
design_pages/rpc_idmapd_plugin.rst
+3 -3
file changed
design_pages/secrets_service.rst
+2 -2
file changed
design_pages/shortnames.rst
+5 -5
file changed
design_pages/smartcard_authentication_pkinit.rst
+2 -2
file changed
design_pages/smartcard_authentication_step1.rst
+8 -8
file changed
design_pages/smartcard_authentication_testing_with_ad.rst
+4 -4
file changed
design_pages/smartcards_and_multiple_identities.rst
+1 -1
file changed
design_pages/socket_activatable_responders.rst
+5 -5
file changed
design_pages/sssctl.rst
+2 -2
file changed
design_pages/subdomains.rst
+1 -1
file changed
design_pages/sudo_caching_rules.rst
+1 -1
file changed
design_pages/sudo_caching_rules_invalidate.rst
+3 -3
file changed
design_pages/sudo_integration.rst
+2 -2
file changed
design_pages/sudo_ipa_schema.rst
+8 -8
file changed
design_pages/sudo_responder_cache_behaviour.rst
+2 -2
file changed
design_pages/sudo_support.rst
+5 -5
file changed
design_pages/sudo_support_plugin_wire_protocol.rst
+2 -2
file changed
design_pages/sysdb_fully_qualified_names.rst
+1 -1
file changed
design_pages/systemd_activatable_responders.rst
+3 -3
file changed
design_pages/use_ad_homedir.rst
+1 -1
file changed
design_pages/usr_account_mgmt_consolidation.rst
+5 -5
file changed
design_pages/wildcard_refresh.rst
+1 -1
file changed
developers/coding_style.rst
+6 -8
file changed
developers/contribute.rst
+3 -3
file changed
developers/ipc.rst
+3 -3
file changed
developers/release_process.rst
+9 -9
file changed
newcomers/getting_started.rst
+15 -15
file changed
users/ad_provider.rst
+4 -4
file changed
users/faq.rst
+10 -10
file changed
users/ldap_with_ad.rst
+1 -1
file changed
users/relnotes/notes_1_13_0.rst
+1 -1
file changed
users/relnotes/notes_1_13_2.rst
+1 -1
file changed
users/relnotes/notes_1_13_4.rst
+2 -2
file changed
users/relnotes/notes_1_16_0.rst
+5 -5
file changed
users/sudo_troubleshooting.rst
+7 -7
file changed
users/troubleshooting.rst
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.