On 03/24/2014 03:27 PM, Jan Pazdziora wrote: > On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: >> On 03/24/2014 02:47 PM, Jan Pazdziora wrote: >>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: >>>> Hi, >>>> >>>> Makes ipa-client-install configure SSSD as the data provider >>>> for the sudo service by default. This behaviour can be disabled >>>> by using --no-sudo flag. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3358 >>> >>> Ack. >>> >>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without >>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers >>> added to /etc/nsswitch.conf. >>> >>> Rerun with --uninstall and run again with the --no-sudo parameter, >>> those settings were not longer there. >>> >> >> Did you also do the functional test? > > No. I do not want to get dragged into the discussion of having the > correct sssd and sudo and glibc versions and SELinux and stuff. The > ticket explicitly talk about setting configuration in config files, > which the patch does. > >> To ack and push this ticket, following >> scenario needs to work: > > Consumption of those configuration changes is really different story, > isn't it? > >> 1) IPA clients enroll against IPA server without --no-sudo >> 2) IPA client user logs in, types "sudo -l", gets all allowed commands >> (prerequisite is of course to have sudo commands defined on the IPA server) >> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all >> allowed commands >> >> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must >> be done >> >> For 3) to work, related systemd service preserving NIS domain name setting >> needs to be enabled > > With the commit message only talking about configuring sssd, I assume > the NIS domain name mentioned in the ticket will be done by some other > patch. > > To me, the patch does what is advertised in the commit message, and is > in line with what the ticket asks to be done. >
To me, it is not. I see your point that the commit message does not promise that FreeIPA client sudo would work after this change, but as this is the sole purpose of https://fedorahosted.org/freeipa/ticket/3358 and these patches are the final "umbrella" patches, let us assume that. To sum it up, I would prefer to push all these related patches and close this ticket when it actually works. Thanks, Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
