On (12/01/16 14:11), Lukas Slebodnik wrote:
>On (12/01/16 13:40), Lukas Slebodnik wrote:
>>On (05/11/15 13:51), Sumit Bose wrote:
>>>On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
>>>> On (05/11/15 12:42), Sumit Bose wrote:
>>>> >On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
>>>> >> ehlo,
>>>> >>
>>>> >> attached simple patch is a result of "Fedora end of
life"
>>>> >> message for related Fedora ticket.
>>>> >>
>>>> >> If you have an idea about better names I will be glad to change
them.
>>>> >>
>>>> >> BTW shoulw we also remove this part from function
>>>> >> sss_write_krb5_conf_snippet
>>>> >>
>>>> >> LS
>>>> >
>>>> >> From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17
00:00:00 2001
>>>> >> From: Lukas Slebodnik <lslebodn(a)redhat.com>
>>>> >> Date: Thu, 5 Nov 2015 11:08:36 +0100
>>>> >> Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin
by default
>>>> >>
>>>> >> It will be installed to /etc/krb.conf.d/ only on these
>>>> >> platforms which has krb5 with this directory
>>>> >>
>>>> >> Resolves:
>>>> >>
https://fedorahosted.org/sssd/ticket/2449
>>>> >
>>>> >...
>>>> >
>>>> >
>>>> >> new file mode 100644
>>>> >> index
0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468
>>>> >> --- /dev/null
>>>> >> +++ b/src/examples/sssd_localauth.conf.in
>>>> >> @@ -0,0 +1,5 @@
>>>> >> +[plugins]
>>>> >> + localauth = {
>>>> >> + module =
sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
>>>> >> + enable_only = sssd
>>>> >> + }
>>>> >
>>>> >just a comment, I think enable_only should not be used here. I added
it
>>>> >originally becasue I thought no other modules would be needed
anymore,
>>>> >but I was wrong, see e.g.
https://fedorahosted.org/sssd/ticket/2788
or
>>>> >https://fedorahosted.org/sssd/ticket/2707.
>>>> >
>>>> I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>>>>
>>>> I removed the option enable_only.
>>>> Will it solve #2707 and #2788?
>>>> or it is unrelated.
>>>
>>>It depends. If e.g. the AD and IPA providers would not create
>>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if
>>>/etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed
>>>because we would fall back to the builtin k5login check if enable_only
>>>is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists
>>>and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in
>>>/etc/krb5.conf it depends which file is processed first so I think we
>>>should try to avoid it.
>>>
>>OK, I removed "enable_only" from both places.
>>
>>>Btw, what about the domain_realm mapping files we create in
>>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be
>>>created in /etc/krb5.conf.d/ if the directory exists? (Must not be
>>>solved in the context of this ticket).
>>>
>>It would be good to store domain_realm mapping files there
>>but it would not be allowed in non-root mode.
>>
>>sh$ ls -ld /etc/krb5.conf.d/
>>drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
>>
>>>If the file is labeled as '%config(noreplace)' in the spec
>>>file we could say that the list is now configurable because changes stay
>>>and close #2707 as well.
>>>
>>BTW /etc/krb5.conf.d/ is available (and included in krb5.conf)
>>only on fedora 23+. So older distributions will still
>>generate the file into /var/lib/sss/pubconf/krb5.include.d/
>>
>>LS
>
>ups,
>I sent wrong patches. New version is attached.
>
>LS
>From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001
>From: Lukas Slebodnik <lslebodn(a)redhat.com>
>Date: Tue, 12 Jan 2016 12:56:31 +0100
>Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2788
>---
> src/util/domain_info_utils.c | 1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
>index
0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 100644
>--- a/src/util/domain_info_utils.c
>+++ b/src/util/domain_info_utils.c
>@@ -531,7 +531,6 @@ done:
> "[plugins]\n" \
> " localauth = {\n" \
> " module =
sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
>-" enable_only = sssd\n" \
> " }"
>
> static errno_t sss_write_krb5_localauth_snippet(const char *path)
>--
>2.5.0
>
>From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001
>From: Lukas Slebodnik <lslebodn(a)redhat.com>
>Date: Thu, 5 Nov 2015 11:08:36 +0100
>Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default
>
>It will be installed to /etc/krb.conf.d/ only on these
>platforms which has krb5 with this directory
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2449
>---
> Makefile.am | 15 ++++++++++++++-
> contrib/sssd.spec.in | 3 +++
> src/examples/sssd_localauth.conf.in | 4 ++++
> src/external/krb5.m4 | 4 ++++
> src/tests/cmocka/test_utils.c | 8 +++++++-
> src/util/domain_info_utils.c | 7 ++++++-
> 6 files changed, 38 insertions(+), 3 deletions(-)
> create mode 100644 src/examples/sssd_localauth.conf.in
>
>diff --git a/Makefile.am b/Makefile.am
>index
a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 100644
>--- a/Makefile.am
>+++ b/Makefile.am
>@@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d
> dbuspolicydir = $(sysconfdir)/dbus-1/system.d
> dbusservicedir = $(datadir)/dbus-1/system-services
> sss_statedir = $(localstatedir)/lib/sss
>+krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/
> localedir = @localedir@
> nsslibdir = @nsslibdir@
> pamlibdir = @pammoddir@
>@@ -319,6 +320,10 @@ endif
> if BUILD_KRB5_LOCALAUTH_PLUGIN
> krb5localauth_plugin_LTLIBRARIES = \
> sssd_krb5_localauth_plugin.la
>+
>+if HAVE_KRB5_CONF_D
>+krb5_conf_sub_DATA = src/examples/sssd_localauth.conf
>+endif
> endif
>
> if BUILD_PAC_RESPONDER
>@@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \
> -e 's|@sbindir[@]|$(sbindir)|g' \
> -e 's|@environment_file[@]|$(environment_file)|g' \
> -e 's|@localstatedir[@]|$(localstatedir)|g' \
>+ -e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \
> -e 's|@prefix[@]|$(prefix)|g'
>
> replace_script = \
>@@ -3444,7 +3450,9 @@ replace_script = \
>
> EXTRA_DIST += \
> src/sysv/systemd/sssd.service.in \
>- src/sysv/systemd/journal.conf.in
>+ src/sysv/systemd/journal.conf.in \
>+ src/examples/sssd_localauth.conf.in \
>+ $(NULL)
>
> src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
> @$(MKDIR_P) src/sysv/systemd/
>@@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf:
src/sysv/systemd/journal.conf.in Makefile
> @$(MKDIR_P) src/sysv/systemd/
> $(replace_script)
>
>+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in Makefile
>+ @$(MKDIR_P) src/examples/
>+ $(replace_script)
>+
> SSSD_USER_DIRS = \
> $(DESTDIR)$(dbpath) \
> $(DESTDIR)$(keytabdir) \
>@@ -3662,6 +3674,7 @@ endif
> rm -Rf ldb_mod_test_dir
> rm -f $(builddir)/src/sysv/systemd/sssd.service
> rm -f $(builddir)/src/sysv/systemd/journal.conf
>+ rm -f $(builddir)/src/examples/sssd_localauth.conf
>
> CLEANFILES = *.X */*.X */*/*.X
>
>diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
>index
9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b 100644
>--- a/contrib/sssd.spec.in
>+++ b/contrib/sssd.spec.in
>@@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT
> %endif
> %if (0%{?with_krb5_localauth_plugin} == 1)
> %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
>+%if (0%{?fedora} >= 23)
>+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf
>+%endif
Simo,
Last week you mentioned that pacakges should not ship
snippet files in /etc/krb5.conf.d/
As you can see we plan to do it but users can change it
due to %config(noreplace).
Are you still think it is not a good idea?
If you do not like it do you have an alternative solution for
Fedora BZ1145788?
Not a good idea,
the configuration tool should drop there the snippet when it joins a
domain, or perhaps sssd should drop it there at startup (if not already
there) when it knows it can provide information to krb5.
Simo.
--
Simo Sorce * Red Hat, Inc * New York