On (12/01/16 13:40), Lukas Slebodnik wrote:
On (05/11/15 13:51), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
OK, I removed "enable_only" from both places.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
It would be good to store domain_realm mapping files there but it would not be allowed in non-root mode.
sh$ ls -ld /etc/krb5.conf.d/ drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) only on fedora 23+. So older distributions will still generate the file into /var/lib/sss/pubconf/krb5.include.d/
LS
ups, I sent wrong patches. New version is attached.
LS