On 03/24/2014 03:27 PM, Jan Pazdziora wrote:
> On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote:
>> On 03/24/2014 02:47 PM, Jan Pazdziora wrote:
>>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote:
>>>> Hi,
>>>>
>>>> Makes ipa-client-install configure SSSD as the data provider
>>>> for the sudo service by default. This behaviour can be disabled
>>>> by using --no-sudo flag.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3358
>>>
>>> Ack.
>>>
>>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without
>>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers
>>> added to /etc/nsswitch.conf.
>>>
>>> Rerun with --uninstall and run again with the --no-sudo parameter,
>>> those settings were not longer there.
>>>
>>
>> Did you also do the functional test?
> 
> No. I do not want to get dragged into the discussion of having the
> correct sssd and sudo and glibc versions and SELinux and stuff. The
> ticket explicitly talk about setting configuration in config files,
> which the patch does.
> 
>> To ack and push this ticket, following
>> scenario needs to work:
> 
> Consumption of those configuration changes is really different story,
> isn't it?
> 
>> 1) IPA clients enroll against IPA server without --no-sudo
>> 2) IPA client user logs in, types "sudo -l", gets all allowed commands
>> (prerequisite is of course to have sudo commands defined on the IPA server)
>> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all
>> allowed commands
>>
>> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must 
>> be done
>>
>> For 3) to work, related systemd service preserving NIS domain name setting
>> needs to be enabled
> 
> With the commit message only talking about configuring sssd, I assume
> the NIS domain name mentioned in the ticket will be done by some other
> patch.
> 
> To me, the patch does what is advertised in the commit message, and is
> in line with what the ticket asks to be done.
> 

To me, it is not. I see your point that the commit message does not promise
that FreeIPA client sudo would work after this change, but as this is the sole
purpose of https://fedorahosted.org/freeipa/ticket/3358 and these patches are
the final "umbrella" patches, let us assume that.

To sum it up, I would prefer to push all these related patches and close this
ticket when it actually works.

Thanks,
Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to