Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From 68de0976b010a484fe29505c161bc874fc0d9e50 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tomasba...@gmail.com> Date: Thu, 21 Nov 2013 13:09:28 +0100 Subject: [PATCH] ipa-client-install: Configure sudo to use SSSD as data source Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 --- ipa-client/ipa-install/ipa-client-install | 46 +++++++++++++++++++++++++++++++ ipa-client/man/ipa-client-install.1 | 3 ++ 2 files changed, 49 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 03679c10d09c64a284e3950a1808887ec52ae5ea..c20db0816e1d77d1fcda061d58a74d94eea8b9cf 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -137,6 +137,9 @@ def parse_options(): help="do not configure OpenSSH client") basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", help="do not configure OpenSSH server") + basic_group.add_option("--no-sudo", dest="conf_sudo", default=True, + action="store_false", + help="do not configure SSSD as data source for sudo") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", help="do not automatically create DNS SSHFP records") basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true", @@ -1141,6 +1144,49 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig.activate_service('ssh') + if options.conf_sudo: + # Activate the service in the SSSD config + try: + sssdconfig.new_service('sudo') + except SSSDConfig.ServiceAlreadyExists: + pass + except SSSDConfig.ServiceNotRecognizedError: + root_logger.error("Unable to activate the SUDO service in " + "SSSD config.") + + sssdconfig.activate_service('sudo') + + # Backup the nsswitch.conf, we're going to edit it now + NSSWITCH_CONF = '/etc/nsswitch.conf' + fstore.backup_file(NSSWITCH_CONF) + + conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + conf.setOptionAssignment(':') + + # Determine if nsswitch already contains files for sudoers or not + sudoers_value = ' sss' + + with open('/etc/nsswitch.conf', 'r') as f: + opts = conf.parse(f) + option_result = conf.findOpts(opts, 'option', 'sudoers')[1] + + if option_result and 'files' in option_result['value']: + sudoers_value = ' files sss' + + # Set sss as data source for sudoers + opts = [{'name':'sudoers', + 'type':'option', + 'action':'set', + 'value': sudoers_value + }, + {'name':'empty', + 'type':'empty' + }] + + conf.changeConf(NSSWITCH_CONF, opts) + root_logger.info("Configured %s" % NSSWITCH_CONF) + + domain.add_provider('ipa', 'id') #add discovery domain if client domain different from server domain diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index a7acf58e532d4d39abd6db0bd5c38a74a708ee3e..b3526379f44eec4ada9303c9d3987bc889256118 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -137,6 +137,9 @@ Do not configure OpenSSH client. \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP +\fB\-\-no\-sudo\fR +Do not configure SSSD as a data source for sudo. +.TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. .TP -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel