Martin Kosek wrote:
On 10/31/2012 11:00 AM, Jakub Hrozek wrote:
On Mon, Oct 22, 2012 at 02:14:00PM -0400, Simo Sorce wrote:
On Mon, 2012-10-22 at 17:15 +0200, Martin Kosek wrote:
On 10/08/2012 08:27 PM, Rob Crittenden wrote:
Jakub Hrozek wrote:
On Fri, Aug 17, 2012 at 12:20:27PM -0400, Simo Sorce wrote:



----- Original Message -----
Hi,

the attached patches add the directory the SSSD writes domain-realm
mappings as includedir to krb5.conf when installing the client.

[PATCH 1/3] ipachangeconf: allow specifying non-default delimeter for
options
ipachangeconf only allows one delimeter between keys and values. This
patch adds the possibility of also specifying "delim" in the option
dictionary to override the default delimeter.

On a slightly-unrelated note, we really should think about adopting
Augeas. Changing configuration with home-grown scripts is getting
tricky.

[PATCH 2/3] Specify includedir in krb5.conf on new installs
This patch utilizes the new functionality from the previous patch to
add
the includedir on top of the krb5.conf file

[PATCH 3/3] Add the includedir to krb5.conf on upgrades
This patch is completely untested and I'm only posting it to get
opinions. At first I was going to use an upgrade script in %post but
then I thought it would be overengineering when all we want to do is
prepend one line.. Would a simple munging like this be acceptable or
shall I write a full script?

NACK, using a scriptlet is fine, but not the way you did, as it has a huge
race condition where krb5.conf exists and has only one line in it (the
include line).

You should first create the new file: echo "include ..." > /etc/krb.conf.ipanew
Then cat the contents of the existing file in i:t cat /etc/krb.conf >>
/etc/krb.conf.ipanew
And finally atomically rename it: mv /etc/krb.conf.ipanew /etc/krb.conf

This method is also safe wrt something killing the yum process ...

Simo.

I'm attaching a new revision of the patches not even two months after
the original nack.

I also think it might be nice to have a more general way of upgrading
the client config so I filed
https://fedorahosted.org/freeipa/ticket/3149

I don't think grepping for a string is an effective way to determine if the
client has been configured. Someone could have removed that line.

I'd prefer using /var/lib/ipa-client/sysrestore/sysrestore.index. If it exists
and has more than 2 lines in it ([files] + one other file) then it is safe to
say the client is configured, or at least partially configured.

rob


I just found one more issue. What if ipa-client-install is run with --no-sssd
option? In that case I assume we should not include the SSSD's krb5.include.d,
right? The same would also appy for upgrades, we would need to check if client
was actually configured with SSSD before mangling their krb5.conf.

Yeah that's right, we should have all sssd related changes under a
conditional that is true only when sssd is enabled.

Simo.

OK, new patches are attached. In new installs, the includedir is only
added when options.sssd is true. During upgrades, I checked for
sssd.conf's existence, I'm not sure if there's any other way to check if
the client was configured with sssd?

Hello Jakub, thanks for these patches. I think that checking if /etc/sssd.conf
exists as actually not so bad way to test if it was configured. Anyway, I did
few tests on server and client but I still see few issues:

1) SELinux context of krb5.conf is not as expected (but I am not sure what real
issue could that cause):

# restorecon -FvvR /etc/krb5.conf
restorecon reset /etc/krb5.conf context
unconfined_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0

2) I can no longer kinit on IPA server after applying your patch
# rpm -q sssd
sssd-1.9.90-0.20121030T1436Zgitf46bf56.fc17.x86_64
# rpm -Uvh --force freeipa-*.rpm
# head -n 5 /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
# KRB5_TRACE=/dev/stdout kinit admin
[21059] 1351684052.658548: Getting initial credentials for
ad...@idm.lab.bos.redhat.com
[21059] 1351684052.665269: Sending request (200 bytes) to IDM.LAB.BOS.REDHAT.COM
[21059] 1351684052.665989: Resolving hostname vm-044.idm.lab.bos.redhat.com
[21059] 1351684052.667511: Sending initial UDP request to dgram 10.16.78.44:88
[21059] 1351684052.672514: Received answer from dgram 10.16.78.44:88
[21059] 1351684052.672653: Response was from master KDC
[21059] 1351684052.672751: Received error from KDC: -1765328370/KDC has no
support for encryption type
kinit: KDC has no support for encryption type while getting initial credentials


Now when I comment includedir:
# head -n 5 /etc/krb5.conf
# kinit admin
Password for ad...@idm.lab.bos.redhat.com:
# echo $?
0

When I upgraded client machine (without krb5kdc), kinit worked fine. Does that
mean that krb5.conf can only be changed on client machines?

3) We should also add Requires on sssd >= 1.9.0 in FreeIPA spec file to pick up
the new feature. Otherwise I just get an error on client:

# kinit admin
kinit: Included profile directory could not be read while initializing Kerberos
5 library

4) (Optional) I think we can make the process of checking if IPA is configured
easier and follow a similar way that Sumit did:
https://fedorahosted.org/freeipa/changeset/fe66fbe637132ac5eb22eea388e2261f33497bf5/

This section:

+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l
'/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
+    if ! egrep -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf
2>/dev/null ; then

could then be replaced by something like this:

python -c "import sys; from ipapython import ipautil; sys.exit(0 if
ipapython.is_ipaclient_configured() else 1);" > /dev/null 2>&1
if [  $? -eq 0 ]; then

I am not saying you need to do this step, this can be done later by us.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


I'm not sure how you ran into problems on master because krb5.conf wasn't being set up by default on IPA masters (I had to update the krb5.conf.template to get that done).

Once updated we get a slew of AVCs:

type=SYSCALL msg=audit(1352143784.563:2184): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7f485970dc0b a2=90800 a3=0 items=0 ppid=1 pid=5307 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=AVC msg=audit(1352143784.563:2184): avc: denied { open } for pid=5307 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143784.563:2184): avc: denied { read } for pid=5307 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143784.563:2184): avc: denied { search } for pid=5307 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143784.781:2186): avc: denied { open } for pid=5320 comm="kadmind" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143784.781:2186): avc: denied { read } for pid=5320 comm="kadmind" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143816.001:2192): avc: denied { read } for pid=5428 comm="httpd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143851.870:2200): avc: denied { read } for pid=5489 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=SYSCALL msg=audit(1352143852.271:2201): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff416fea80 items=0 ppid=1 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=AVC msg=audit(1352143852.271:2201): avc: denied { block_suspend } for pid=5308 comm="krb5kdc" capability=36 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2 type=SYSCALL msg=audit(1352143852.294:2204): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7ff22c96cc0b a2=90800 a3=0 items=0 ppid=1 pid=5573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=AVC msg=audit(1352143852.294:2204): avc: denied { open } for pid=5573 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143852.294:2204): avc: denied { read } for pid=5573 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143852.294:2204): avc: denied { search } for pid=5573 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143855.199:2210): avc: denied { read } for pid=5516 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143854.002:2208): avc: denied { read } for pid=5583 comm="httpd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=SYSCALL msg=audit(1352143863.255:2218): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff40924bf0 items=0 ppid=1 pid=5574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=AVC msg=audit(1352143863.255:2218): avc: denied { block_suspend } for pid=5574 comm="krb5kdc" capability=36 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2 type=SYSCALL msg=audit(1352143866.074:2229): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7f38ce963c0b a2=90800 a3=0 items=0 ppid=1 pid=5821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=AVC msg=audit(1352143866.074:2229): avc: denied { open } for pid=5821 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143866.074:2229): avc: denied { read } for pid=5821 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir type=AVC msg=audit(1352143866.074:2229): avc: denied { search } for pid=5821 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to