On Tue, 2011-09-13 at 16:22 +0300, Alexander Bokovoy wrote: > On Tue, 13 Sep 2011, Martin Kosek wrote: > > > So this patch is unblocked. To solve delayed data initialization from > > > SSSD in NSS responder we might simply increase number of tries to 10 > > > in case SSSD is in use. > > That sounds good. I made few tests of this patch and I still see a > > problem here. What if, for any reason, sssd.conf is not present on the > > machine? IPA client installation then crashes: > > > > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain > > idm.lab.bos.redhat.com > > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC > > address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: vm-027.idm.lab.bos.redhat.com > > Realm: IDM.LAB.BOS.REDHAT.COM > > DNS Domain: idm.lab.bos.redhat.com > > IPA Server: vm-139.idm.lab.bos.redhat.com > > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > > > > > > Continue to configure the system with these values? [no]: y > > User authorized to enroll computers: admin > > Password for ad...@idm.lab.bos.redhat.com: > > > > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM > > Created /etc/ipa/default.conf > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 1144, in <module> > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 1133, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 977, in install > > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, > > options): > > File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf > > sssdconfig.import_config() > > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in > > import_config > > fd = open(configfile, 'r') > > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf' > Right, we need to fallback to new sssd.conf in case of any exception, > not only for ParsingError.
Actually, that's not necessarily true. Do we want to fall back on permission error, for instance? This could result in clobbering an existing file (if for example the existing sssd.conf's SELinux context is wrong, preventing reading, but when we create a new one and save it in place later we have the right context and it replaces the old one). Admittedly, it's a contrived example, but where contrived examples exist, so can real issues.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
