On Tue, 2011-09-13 at 16:22 +0300, Alexander Bokovoy wrote:
> On Tue, 13 Sep 2011, Martin Kosek wrote:
> > > So this patch is unblocked. To solve delayed data initialization from 
> > > SSSD in NSS responder we might simply increase number of tries to 10 
> > > in case SSSD is in use.
> > That sounds good. I made few tests of this patch and I still see a
> > problem here. What if, for any reason, sssd.conf is not present on the
> > machine? IPA client installation then crashes:
> > 
> > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain 
> > idm.lab.bos.redhat.com
> > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC 
> > address lookup.
> > KDC address will be set to fixed value.
> > 
> > Discovery was successful!
> > Hostname: vm-027.idm.lab.bos.redhat.com
> > Realm: IDM.LAB.BOS.REDHAT.COM
> > DNS Domain: idm.lab.bos.redhat.com
> > IPA Server: vm-139.idm.lab.bos.redhat.com
> > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> > 
> > 
> > Continue to configure the system with these values? [no]: y
> > User authorized to enroll computers: admin
> > Password for ad...@idm.lab.bos.redhat.com: 
> > 
> > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> > Created /etc/ipa/default.conf
> > Traceback (most recent call last):
> >   File "/usr/sbin/ipa-client-install", line 1144, in <module>
> >     sys.exit(main())
> >   File "/usr/sbin/ipa-client-install", line 1133, in main
> >     rval = install(options, env, fstore, statestore)
> >   File "/usr/sbin/ipa-client-install", line 977, in install
> >     if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, 
> > options):
> >   File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf
> >     sssdconfig.import_config()
> >   File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in 
> > import_config
> >     fd = open(configfile, 'r')
> > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
> Right, we need to fallback to new sssd.conf in case of any exception, 
> not only for ParsingError.


Actually, that's not necessarily true. Do we want to fall back on
permission error, for instance? This could result in clobbering an
existing file (if for example the existing sssd.conf's SELinux context
is wrong, preventing reading, but when we create a new one and save it
in place later we have the right context and it replaces the old one).

Admittedly, it's a contrived example, but where contrived examples
exist, so can real issues.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to