ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
bye, Sumit
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
LS
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
bye, Sumit
LS
On (05/11/15 13:51), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
OK, I removed "enable_only" from both places.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
It would be good to store domain_realm mapping files there but it would not be allowed in non-root mode.
sh$ ls -ld /etc/krb5.conf.d/ drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) only on fedora 23+. So older distributions will still generate the file into /var/lib/sss/pubconf/krb5.include.d/
LS
On (12/01/16 13:40), Lukas Slebodnik wrote:
On (05/11/15 13:51), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
OK, I removed "enable_only" from both places.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
It would be good to store domain_realm mapping files there but it would not be allowed in non-root mode.
sh$ ls -ld /etc/krb5.conf.d/ drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) only on fedora 23+. So older distributions will still generate the file into /var/lib/sss/pubconf/krb5.include.d/
LS
ups, I sent wrong patches. New version is attached.
LS
On (12/01/16 14:11), Lukas Slebodnik wrote:
On (12/01/16 13:40), Lukas Slebodnik wrote:
On (05/11/15 13:51), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote:
ehlo,
attached simple patch is a result of "Fedora end of life" message for related Fedora ticket.
If you have an idea about better names I will be glad to change them.
BTW shoulw we also remove this part from function sss_write_krb5_conf_snippet
LS
From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
...
new file mode 100644 index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,5 @@ +[plugins]
- localauth = {
- module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so
- enable_only = sssd
- }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
OK, I removed "enable_only" from both places.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
It would be good to store domain_realm mapping files there but it would not be allowed in non-root mode.
sh$ ls -ld /etc/krb5.conf.d/ drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) only on fedora 23+. So older distributions will still generate the file into /var/lib/sss/pubconf/krb5.include.d/
LS
ups, I sent wrong patches. New version is attached.
LS
From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 12 Jan 2016 12:56:31 +0100 Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config
Resolves: https://fedorahosted.org/sssd/ticket/2788
src/util/domain_info_utils.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -531,7 +531,6 @@ done: "[plugins]\n" \ " localauth = {\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ -" enable_only = sssd\n" \ " }"
static errno_t sss_write_krb5_localauth_snippet(const char *path)
2.5.0
From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
Resolves: https://fedorahosted.org/sssd/ticket/2449
Makefile.am | 15 ++++++++++++++- contrib/sssd.spec.in | 3 +++ src/examples/sssd_localauth.conf.in | 4 ++++ src/external/krb5.m4 | 4 ++++ src/tests/cmocka/test_utils.c | 8 +++++++- src/util/domain_info_utils.c | 7 ++++++- 6 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 src/examples/sssd_localauth.conf.in
diff --git a/Makefile.am b/Makefile.am index a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d dbuspolicydir = $(sysconfdir)/dbus-1/system.d dbusservicedir = $(datadir)/dbus-1/system-services sss_statedir = $(localstatedir)/lib/sss +krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/ localedir = @localedir@ nsslibdir = @nsslibdir@ pamlibdir = @pammoddir@ @@ -319,6 +320,10 @@ endif if BUILD_KRB5_LOCALAUTH_PLUGIN krb5localauth_plugin_LTLIBRARIES = \ sssd_krb5_localauth_plugin.la
+if HAVE_KRB5_CONF_D +krb5_conf_sub_DATA = src/examples/sssd_localauth.conf +endif endif
if BUILD_PAC_RESPONDER @@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \ -e 's|@sbindir[@]|$(sbindir)|g' \ -e 's|@environment_file[@]|$(environment_file)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \ -e 's|@prefix[@]|$(prefix)|g'
replace_script = \ @@ -3444,7 +3450,9 @@ replace_script = \
EXTRA_DIST += \ src/sysv/systemd/sssd.service.in \
- src/sysv/systemd/journal.conf.in
- src/sysv/systemd/journal.conf.in \
- src/examples/sssd_localauth.conf.in \
- $(NULL)
src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile @$(MKDIR_P) src/sysv/systemd/ @@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile @$(MKDIR_P) src/sysv/systemd/ $(replace_script)
+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in Makefile
- @$(MKDIR_P) src/examples/
- $(replace_script)
SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ $(DESTDIR)$(keytabdir) \ @@ -3662,6 +3674,7 @@ endif rm -Rf ldb_mod_test_dir rm -f $(builddir)/src/sysv/systemd/sssd.service rm -f $(builddir)/src/sysv/systemd/journal.conf
- rm -f $(builddir)/src/examples/sssd_localauth.conf
CLEANFILES = *.X */*.X */*/*.X
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT %endif %if (0%{?with_krb5_localauth_plugin} == 1) %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +%if (0%{?fedora} >= 23) +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf +%endif
Simo, Last week you mentioned that pacakges should not ship snippet files in /etc/krb5.conf.d/
As you can see we plan to do it but users can change it due to %config(noreplace).
Are you still think it is not a good idea? If you do not like it do you have an alternative solution for Fedora BZ1145788?
L
On Tue, 2016-02-16 at 17:36 +0100, Lukas Slebodnik wrote:
On (12/01/16 14:11), Lukas Slebodnik wrote:
On (12/01/16 13:40), Lukas Slebodnik wrote:
On (05/11/15 13:51), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote:
On (05/11/15 12:42), Sumit Bose wrote:
On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote: > ehlo, > > attached simple patch is a result of "Fedora end of life" > message for related Fedora ticket. > > If you have an idea about better names I will be glad to change them. > > BTW shoulw we also remove this part from function > sss_write_krb5_conf_snippet > > LS
> From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 > From: Lukas Slebodnik lslebodn@redhat.com > Date: Thu, 5 Nov 2015 11:08:36 +0100 > Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default > > It will be installed to /etc/krb.conf.d/ only on these > platforms which has krb5 with this directory > > Resolves: > https://fedorahosted.org/sssd/ticket/2449
...
> new file mode 100644 > index 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 > --- /dev/null > +++ b/src/examples/sssd_localauth.conf.in > @@ -0,0 +1,5 @@ > +[plugins] > + localauth = { > + module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so > + enable_only = sssd > + }
just a comment, I think enable_only should not be used here. I added it originally becasue I thought no other modules would be needed anymore, but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or https://fedorahosted.org/sssd/ticket/2707.
I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
I removed the option enable_only. Will it solve #2707 and #2788? or it is unrelated.
It depends. If e.g. the AD and IPA providers would not create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if /etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed because we would fall back to the builtin k5login check if enable_only is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf it depends which file is processed first so I think we should try to avoid it.
OK, I removed "enable_only" from both places.
Btw, what about the domain_realm mapping files we create in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be created in /etc/krb5.conf.d/ if the directory exists? (Must not be solved in the context of this ticket).
It would be good to store domain_realm mapping files there but it would not be allowed in non-root mode.
sh$ ls -ld /etc/krb5.conf.d/ drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/
If the file is labeled as '%config(noreplace)' in the spec file we could say that the list is now configurable because changes stay and close #2707 as well.
BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) only on fedora 23+. So older distributions will still generate the file into /var/lib/sss/pubconf/krb5.include.d/
LS
ups, I sent wrong patches. New version is attached.
LS
From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Tue, 12 Jan 2016 12:56:31 +0100 Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config
Resolves: https://fedorahosted.org/sssd/ticket/2788
src/util/domain_info_utils.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -531,7 +531,6 @@ done: "[plugins]\n" \ " localauth = {\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ -" enable_only = sssd\n" \ " }"
static errno_t sss_write_krb5_localauth_snippet(const char *path)
2.5.0
From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lslebodn@redhat.com Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default
It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory
Resolves: https://fedorahosted.org/sssd/ticket/2449
Makefile.am | 15 ++++++++++++++- contrib/sssd.spec.in | 3 +++ src/examples/sssd_localauth.conf.in | 4 ++++ src/external/krb5.m4 | 4 ++++ src/tests/cmocka/test_utils.c | 8 +++++++- src/util/domain_info_utils.c | 7 ++++++- 6 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 src/examples/sssd_localauth.conf.in
diff --git a/Makefile.am b/Makefile.am index a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d dbuspolicydir = $(sysconfdir)/dbus-1/system.d dbusservicedir = $(datadir)/dbus-1/system-services sss_statedir = $(localstatedir)/lib/sss +krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/ localedir = @localedir@ nsslibdir = @nsslibdir@ pamlibdir = @pammoddir@ @@ -319,6 +320,10 @@ endif if BUILD_KRB5_LOCALAUTH_PLUGIN krb5localauth_plugin_LTLIBRARIES = \ sssd_krb5_localauth_plugin.la
+if HAVE_KRB5_CONF_D +krb5_conf_sub_DATA = src/examples/sssd_localauth.conf +endif endif
if BUILD_PAC_RESPONDER @@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \ -e 's|@sbindir[@]|$(sbindir)|g' \ -e 's|@environment_file[@]|$(environment_file)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \ -e 's|@prefix[@]|$(prefix)|g'
replace_script = \ @@ -3444,7 +3450,9 @@ replace_script = \
EXTRA_DIST += \ src/sysv/systemd/sssd.service.in \
- src/sysv/systemd/journal.conf.in
- src/sysv/systemd/journal.conf.in \
- src/examples/sssd_localauth.conf.in \
- $(NULL)
src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile @$(MKDIR_P) src/sysv/systemd/ @@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile @$(MKDIR_P) src/sysv/systemd/ $(replace_script)
+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in Makefile
- @$(MKDIR_P) src/examples/
- $(replace_script)
SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ $(DESTDIR)$(keytabdir) \ @@ -3662,6 +3674,7 @@ endif rm -Rf ldb_mod_test_dir rm -f $(builddir)/src/sysv/systemd/sssd.service rm -f $(builddir)/src/sysv/systemd/journal.conf
- rm -f $(builddir)/src/examples/sssd_localauth.conf
CLEANFILES = *.X */*.X */*/*.X
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT %endif %if (0%{?with_krb5_localauth_plugin} == 1) %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +%if (0%{?fedora} >= 23) +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf +%endif
Simo, Last week you mentioned that pacakges should not ship snippet files in /etc/krb5.conf.d/
As you can see we plan to do it but users can change it due to %config(noreplace).
Are you still think it is not a good idea? If you do not like it do you have an alternative solution for Fedora BZ1145788?
Not a good idea, the configuration tool should drop there the snippet when it joins a domain, or perhaps sssd should drop it there at startup (if not already there) when it knows it can provide information to krb5.
Simo.
sssd-devel@lists.fedorahosted.org